Re: is normal keep value when tomcat restart after JSESSIONID was create?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 이강우, On 10/23/14 1:56 AM, 이강우(KangWoo Lee) wrote: ok I undertand. - the session identifier should change to prevent session-fixation attacks. but how I can set tomcat to regenerate id value? I was search document, but can't find it I'm not sure what you are asking. Can you ask in a different way? Do you want Tomcat to reject the requested (invalid) session id and generate a new one instead? - -chris 2014-10-22 22:44 GMT+09:00 Christopher Schultz ch...@christopherschultz.net : 이강우, On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote: Environment - openjdk 1.7 - tomcat 7.0.55 with native connector - apache 2.4.10 with mod-jk 1.2.40 1. Tomcat start 2. Client request - JSESSIONID is null 3. tomcat response - JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create 4. refresh page - session attribute(name=count, value=count++) is correct. count is increasing. Good so far. 5. Tomcat stop - start (restart) context setting is session is not persist Okay. 6. Client refresh - client request is send JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session attribute(name=count, value=0) is reset. but keeping JSESSIONID question. why tomcat using JSESSIONID set by client request value? is not regenerate? If the client requests a session by id, Tomcat will try to give it to them. If it doesn't exist, it will use that session identifier for the new session. Did the user actually authenticate with Tomcat? Or just get an anonymous session? If the user authenticates with Tomcat, the session identifier should change to prevent session-fixation attacks. is this java spec? I believe the spec says nothing about the generation of session ids. Even the above session-fixation behavior is outside of the spec (but definitely does not violate it). -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUSSGuAAoJEBzwKT+lPKRYHZcP+weLH/AgmnVPs6dxiXG+Qjtg ndtap6eKAuys+LBmHYQCki780cmmnX0UZg8sEVENPJ+GSRRuni3/S8RwixTnA4Lv YbuEov2d0oxTI+ZzH0HSR40nYPSzKY3m/yzMlB4y+JrvA3ousxiIDZ07tkM6LvCq 6Cpn54Bd7InbHWJJJXNyn8iA+snxuJe1QfpxkiFVPrjgZgRFJfsOWCUHN6qsETYG EvydlCTR/9b2yPkqApEiYLULSG+K70Wtupp8pPB0jM0dP1i16qZa1SGMh79lP9kO FZ3H8PoPwnSluSRefyPnQgCTIWQEP89sJ4Q1fCCN4r/axUgyI6OEWuZ/MGOaN4yg Y37sUrcauRCy+Sfh8x7IIJpnVeOZcyPO4sDrmDjySTNKis5hdtpxwNuTY97XxHe+ 2bD3jierVw05T4lj6zOraRo2yrzVVWujd1RUJ8vCMBnx6l3rvzxGp+10sUqePyeF nhc3rWg1vWcdxXDDJ8p853Xb5k1MuR1rQg2kJ9AWJDfMZULi80awPZYQuJOC9O/n TFGKcLsXM0xp6ND0ItdLgzTXlj8xhPDvNGp438KSD16ofm27dWM++btD4Ss3DoVs Vu+xwL2td0nx94+jEJgibi4SVCCVkgNzO5vu/uyxVFE1oBGxo6OSQTnp4UDc5KkY DQ2jHJBmVqVHwxOxS4j7 =wFKq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: is normal keep value when tomcat restart after JSESSIONID was create?
I found a causes. set the context attribute sessioncookiepath=/ is same affect of emptysessionpath. tomcat document says if set emptysessionpath then yomcat using session id value of client request. I solve it. thanks to your comment. 2014. 10. 24. 오전 12:42에 Christopher Schultz ch...@christopherschultz.net님이 작성: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 이강우, On 10/23/14 1:56 AM, 이강우(KangWoo Lee) wrote: ok I undertand. - the session identifier should change to prevent session-fixation attacks. but how I can set tomcat to regenerate id value? I was search document, but can't find it I'm not sure what you are asking. Can you ask in a different way? Do you want Tomcat to reject the requested (invalid) session id and generate a new one instead? - -chris 2014-10-22 22:44 GMT+09:00 Christopher Schultz ch...@christopherschultz.net : 이강우, On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote: Environment - openjdk 1.7 - tomcat 7.0.55 with native connector - apache 2.4.10 with mod-jk 1.2.40 1. Tomcat start 2. Client request - JSESSIONID is null 3. tomcat response - JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create 4. refresh page - session attribute(name=count, value=count++) is correct. count is increasing. Good so far. 5. Tomcat stop - start (restart) context setting is session is not persist Okay. 6. Client refresh - client request is send JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session attribute(name=count, value=0) is reset. but keeping JSESSIONID question. why tomcat using JSESSIONID set by client request value? is not regenerate? If the client requests a session by id, Tomcat will try to give it to them. If it doesn't exist, it will use that session identifier for the new session. Did the user actually authenticate with Tomcat? Or just get an anonymous session? If the user authenticates with Tomcat, the session identifier should change to prevent session-fixation attacks. is this java spec? I believe the spec says nothing about the generation of session ids. Even the above session-fixation behavior is outside of the spec (but definitely does not violate it). -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUSSGuAAoJEBzwKT+lPKRYHZcP+weLH/AgmnVPs6dxiXG+Qjtg ndtap6eKAuys+LBmHYQCki780cmmnX0UZg8sEVENPJ+GSRRuni3/S8RwixTnA4Lv YbuEov2d0oxTI+ZzH0HSR40nYPSzKY3m/yzMlB4y+JrvA3ousxiIDZ07tkM6LvCq 6Cpn54Bd7InbHWJJJXNyn8iA+snxuJe1QfpxkiFVPrjgZgRFJfsOWCUHN6qsETYG EvydlCTR/9b2yPkqApEiYLULSG+K70Wtupp8pPB0jM0dP1i16qZa1SGMh79lP9kO FZ3H8PoPwnSluSRefyPnQgCTIWQEP89sJ4Q1fCCN4r/axUgyI6OEWuZ/MGOaN4yg Y37sUrcauRCy+Sfh8x7IIJpnVeOZcyPO4sDrmDjySTNKis5hdtpxwNuTY97XxHe+ 2bD3jierVw05T4lj6zOraRo2yrzVVWujd1RUJ8vCMBnx6l3rvzxGp+10sUqePyeF nhc3rWg1vWcdxXDDJ8p853Xb5k1MuR1rQg2kJ9AWJDfMZULi80awPZYQuJOC9O/n TFGKcLsXM0xp6ND0ItdLgzTXlj8xhPDvNGp438KSD16ofm27dWM++btD4Ss3DoVs Vu+xwL2td0nx94+jEJgibi4SVCCVkgNzO5vu/uyxVFE1oBGxo6OSQTnp4UDc5KkY DQ2jHJBmVqVHwxOxS4j7 =wFKq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
is normal keep value when tomcat restart after JSESSIONID was create?
Environment - openjdk 1.7 - tomcat 7.0.55 with native connector - apache 2.4.10 with mod-jk 1.2.40 1. Tomcat start 2. Client request - JSESSIONID is null 3. tomcat response - JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create 4. refresh page - session attribute(name=count, value=count++) is correct. count is increasing. 5. Tomcat stop - start (restart) context setting is session is not persist 6. Client refresh - client request is send JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session attribute(name=count, value=0) is reset. but keeping JSESSIONID question. why tomcat using JSESSIONID set by client request value? is not regenerate? is this java spec? thanks.
Re: is normal keep value when tomcat restart after JSESSIONID was create?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 이강우, On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote: Environment - openjdk 1.7 - tomcat 7.0.55 with native connector - apache 2.4.10 with mod-jk 1.2.40 1. Tomcat start 2. Client request - JSESSIONID is null 3. tomcat response - JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create 4. refresh page - session attribute(name=count, value=count++) is correct. count is increasing. Good so far. 5. Tomcat stop - start (restart) context setting is session is not persist Okay. 6. Client refresh - client request is send JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session attribute(name=count, value=0) is reset. but keeping JSESSIONID question. why tomcat using JSESSIONID set by client request value? is not regenerate? If the client requests a session by id, Tomcat will try to give it to them. If it doesn't exist, it will use that session identifier for the new session. Did the user actually authenticate with Tomcat? Or just get an anonymous session? If the user authenticates with Tomcat, the session identifier should change to prevent session-fixation attacks. is this java spec? I believe the spec says nothing about the generation of session ids. Even the above session-fixation behavior is outside of the spec (but definitely does not violate it). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUR7S/AAoJEBzwKT+lPKRYdT4P/3HHrY/yEJmZUWFuyAlAIgkG J14ix608FsWkGtsIKwh7RxgArSx3eH7niswJ8FxHljZJQThlasInz8SJlFzGYBvA +++56BziHVRAc+vn00/yOjzO+GW73fm+vjcnL/i6tIYLiX3YT2qd+iWV34YYBnVJ X0ZS6Kz2+YmkbzN9ccGp8ZWq51jqZtVsPSzEpKmdp2mf2s48O3cQlCNiw6Q5CVCr a0IU//ciwnkF50l5T2h4oZOV0L0ZraPgbAzf2lNpazNjSnAF3DpG2uVJc9OLIZXy ZBA3SM+MoLiYDbR5Wv02zx1ifDraMMrVSfeYL6zEpz5tIqeJ4wYSf2iyrkzG2fOr lnCdVDh1s2hRuVOsQlh8UkG86NQecc8eK6QCCviT5bSS02KK202+i/Z8uW8h4SVT wMyNv4vsPBgCauM5mugWiTu8T1Ae8fqIznXOImal7sVyQrE20mePkhEo6LqD6NXf loY55Uul/m0x52fL3/Z9czkJaWhOVd6bRdYgZH/g90CvPVzQZhBBwS15FTgjsxMU /IslHCv+u3aOr5HxwW4Rl83ifFM2b0tf/X/VKAqRekgz6OJF1HP4J4HN79ecdC/J +R+J5eo/L5hlbUbbWaH86X7Qm6rG7XoDwkaFA+6AkDfw/2/Whv11a3C8OlLhltKY oqUECCMeOaec6twMZLG4 =3oOa -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: is normal keep value when tomcat restart after JSESSIONID was create?
ok I undertand. - the session identifier should change to prevent session-fixation attacks. but how I can set tomcat to regenerate id value? I was search document, but can't find it 2014-10-22 22:44 GMT+09:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 이강우, On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote: Environment - openjdk 1.7 - tomcat 7.0.55 with native connector - apache 2.4.10 with mod-jk 1.2.40 1. Tomcat start 2. Client request - JSESSIONID is null 3. tomcat response - JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create 4. refresh page - session attribute(name=count, value=count++) is correct. count is increasing. Good so far. 5. Tomcat stop - start (restart) context setting is session is not persist Okay. 6. Client refresh - client request is send JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session attribute(name=count, value=0) is reset. but keeping JSESSIONID question. why tomcat using JSESSIONID set by client request value? is not regenerate? If the client requests a session by id, Tomcat will try to give it to them. If it doesn't exist, it will use that session identifier for the new session. Did the user actually authenticate with Tomcat? Or just get an anonymous session? If the user authenticates with Tomcat, the session identifier should change to prevent session-fixation attacks. is this java spec? I believe the spec says nothing about the generation of session ids. Even the above session-fixation behavior is outside of the spec (but definitely does not violate it). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUR7S/AAoJEBzwKT+lPKRYdT4P/3HHrY/yEJmZUWFuyAlAIgkG J14ix608FsWkGtsIKwh7RxgArSx3eH7niswJ8FxHljZJQThlasInz8SJlFzGYBvA +++56BziHVRAc+vn00/yOjzO+GW73fm+vjcnL/i6tIYLiX3YT2qd+iWV34YYBnVJ X0ZS6Kz2+YmkbzN9ccGp8ZWq51jqZtVsPSzEpKmdp2mf2s48O3cQlCNiw6Q5CVCr a0IU//ciwnkF50l5T2h4oZOV0L0ZraPgbAzf2lNpazNjSnAF3DpG2uVJc9OLIZXy ZBA3SM+MoLiYDbR5Wv02zx1ifDraMMrVSfeYL6zEpz5tIqeJ4wYSf2iyrkzG2fOr lnCdVDh1s2hRuVOsQlh8UkG86NQecc8eK6QCCviT5bSS02KK202+i/Z8uW8h4SVT wMyNv4vsPBgCauM5mugWiTu8T1Ae8fqIznXOImal7sVyQrE20mePkhEo6LqD6NXf loY55Uul/m0x52fL3/Z9czkJaWhOVd6bRdYgZH/g90CvPVzQZhBBwS15FTgjsxMU /IslHCv+u3aOr5HxwW4Rl83ifFM2b0tf/X/VKAqRekgz6OJF1HP4J4HN79ecdC/J +R+J5eo/L5hlbUbbWaH86X7Qm6rG7XoDwkaFA+6AkDfw/2/Whv11a3C8OlLhltKY oqUECCMeOaec6twMZLG4 =3oOa -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org