-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Akash,
On 5/8/14, 9:56 PM, Akash Jain wrote:
Hi,
I am trying to resolve session fixation issue with tomcat 7.0.52
We have a Spring MVC application running on it, and the Auth method
is provided by another application which writes cookie, and we use
the cookie value to check whether the user is valid or not.
My application URL patterns are / - Home page /login - Redirect to
another application to ask user to authenticate /myaccess/user***
-- All authenticated URL's
Context path= docBase=myapplication
sessionCookieName=mycookiename
sessionCookieDomain=application.mydomain.com
sessionCookiePath=/
As I cannot use org.apache.catalina.authenticator.FormAuthenticator
here.
How can i prevent the session fixation ?
If you are managing the authentication yourself, then you'll have to
handle (mitigate) session fixation yourself, too. You can invalidate
and create a new session in the same request, if you want.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTeNMIAAoJEBzwKT+lPKRYje4P/i1LD+r06I1VuI6jtFAzM/0k
Ow/HyXyyFRIq3zz1+LUQ8ys2PEROTw+E7q3NzLvBb8e6Vngc2vWBoRq7jps1r4Jq
h/5Cd4k7DI5V5dlPFph7nHNXwKbGgRtCamvhwC/fQFlZxwvGTOfAyxeYLT42k3zF
x3HkesQSI9F4hfy9VzQ8977cTICUI8bz5pUksRccN9uFJ5A1V18vdjDEJ7hWkS8K
V5lPr0VlZ9XzNOZ9conQYoZnuOzvl9l73QECTJi8jSPeVHGGEFcQmVE2KCxExx4u
qqN0twycISY/TrLxt74WkiJseljzr+QXZUjFHIlaepU62/pVmOwBQHs9bs1e7jHo
YNSY/8g+W0nKvLexgULJw1FBpxlq2LcTtkRzPDPEuTp0OlE583bPufxd+LaoLwL3
uWEtkhMSNiMsChyCigBsaZZVhkY8DzmSQ2SYpZmGx3suyJmllt/yiET+vc2uRAxn
6iBKvrSrwzDnqwpMpeowpU69n5v12+yRNts5PCOksLJ61TDV59C2AvUE3CWJI417
M163/01GEF9yux5/7cm7jYJpEDdqS3+y1vLC4E9I7BXkpLuuPmVAUcbl7VPVl12X
h5wZsbdFX9xZsIoDPkLlZv8+0ugp/BlLwVqNRNfnNusLQl4OHF/hlj1eWIDBQsEJ
G8FbWFqolK+tUemVOO1v
=UHeH
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org