-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Joseph,
On 3/14/14, 5:59 AM, Joesph Bleau wrote: > Right now we're running our application in Tomcat and using > hazelcast to share information across our multiple instances. In an > attempt to prevent session fixation I implemented a tomcat valve > which invalidates sessions when a user authenticates (or in this > case, just visits the authentication endpoints). This is causing an > issuue where our application proper isn't getting notified of > invalidated sessions and they're hanging around in the hazelcast > map. Any reason not to trust Tomcat's session-fixation prevention (which implements session-id changing, and already works across a cluster). > I tried everything I could to fix the session fixation problem > within the scope of my application but no matter what I did it > seemed like tomcat would persist a users session even after > invalidating it, so this was my solution, and of course I face an > equally annoying and difficult problem. > > We're using tomcat7, apache 2.2 / mod_jk to load balance, spring > 3.1, and hazelcast 2.2 > > Any and all advice / tips / scorn appreciated. :-) Joseph Bleau > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTIvgTAAoJEBzwKT+lPKRYrZ4P/1JoIjq6O2SMw5XGgn2E8kWC 6hG//ZnHRgFR82EVSq+lydre2yFwMeA4kf9WjtKwuNwIdaCJSK2gYBgeHyKhxtCs Sakux63pRpRzba3RlvSlHuM30AN4+tbFrVLO/HWWCyBujI1iLppnILzi/iSsy0nK VX+DtfeqV5BnvNJMG0G77IB9KOaft5Dm+wJ443Yv8sJPpxwbQUh+siJP5+fsqLA1 c6MISdBMTRlFGhkEuaQKVtvXxpPn9Hjiv6s16fVlYOQzX+UTMCPA5c22P74zuYm/ VPG1T46fcf7J+4P/vkdM3X/6ecaPB4bgX4t5IKCPmAoFZ5Ou7K8DbKI2OlP/iCNh /yLmsmYdY4YSSKQiN6HnHMh03uMy4q4Ah/hgz9LkxXm1DHdC7A7YRb3rJ6ES6fls aYl8Ekq7TNmLYAu0/92Su9qxTIA90g/ii5POe6jDP/1QlXInqB+nRJbbgIdvu1uA sb2TC4Nb5hhVKZKKRpHIvvDCoilFhmQdgrsPWOM/+0WcFMvzHwCPYBuAk7TJv+qJ 4xZ4tb90PbDc/ZrUjEUsTWoH+lgPzn8G8guIuiK/qGOWQStsE7TNnYIZ47Cnzyrm Yy+zQ1YHTFvaFEUeNSkNDK97JG3DJX1RMWn9ZcpgbvBJ36DeRXofTgZImotRwpv+ zR7I1gSt/gkKLH3HQl8n =OVcJ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
