It's possible (read: likely) that we're doing something incorrectly, but we're using Spring and it was already attempting to provide session fixation within the application by invalidating sessions upon authentication. However, it appears that tomcat was providing us with the same session ID for our new session. I've scoured the internet and I've seen that I'm not the first person to have this problem, but there was no definitive solution available. I ultimately settled on invalidating the session in the valve which appeared to work, tomcat didn't provide the same ID here.
On Fri, Mar 14, 2014 at 8:37 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Joseph, > > On 3/14/14, 5:59 AM, Joesph Bleau wrote: > > Right now we're running our application in Tomcat and using > > hazelcast to share information across our multiple instances. In an > > attempt to prevent session fixation I implemented a tomcat valve > > which invalidates sessions when a user authenticates (or in this > > case, just visits the authentication endpoints). This is causing an > > issuue where our application proper isn't getting notified of > > invalidated sessions and they're hanging around in the hazelcast > > map. > > Any reason not to trust Tomcat's session-fixation prevention (which > implements session-id changing, and already works across a cluster). > > > I tried everything I could to fix the session fixation problem > > within the scope of my application but no matter what I did it > > seemed like tomcat would persist a users session even after > > invalidating it, so this was my solution, and of course I face an > > equally annoying and difficult problem. > > > > We're using tomcat7, apache 2.2 / mod_jk to load balance, spring > > 3.1, and hazelcast 2.2 > > > > Any and all advice / tips / scorn appreciated. :-) Joseph Bleau > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJTIvgTAAoJEBzwKT+lPKRYrZ4P/1JoIjq6O2SMw5XGgn2E8kWC > 6hG//ZnHRgFR82EVSq+lydre2yFwMeA4kf9WjtKwuNwIdaCJSK2gYBgeHyKhxtCs > Sakux63pRpRzba3RlvSlHuM30AN4+tbFrVLO/HWWCyBujI1iLppnILzi/iSsy0nK > VX+DtfeqV5BnvNJMG0G77IB9KOaft5Dm+wJ443Yv8sJPpxwbQUh+siJP5+fsqLA1 > c6MISdBMTRlFGhkEuaQKVtvXxpPn9Hjiv6s16fVlYOQzX+UTMCPA5c22P74zuYm/ > VPG1T46fcf7J+4P/vkdM3X/6ecaPB4bgX4t5IKCPmAoFZ5Ou7K8DbKI2OlP/iCNh > /yLmsmYdY4YSSKQiN6HnHMh03uMy4q4Ah/hgz9LkxXm1DHdC7A7YRb3rJ6ES6fls > aYl8Ekq7TNmLYAu0/92Su9qxTIA90g/ii5POe6jDP/1QlXInqB+nRJbbgIdvu1uA > sb2TC4Nb5hhVKZKKRpHIvvDCoilFhmQdgrsPWOM/+0WcFMvzHwCPYBuAk7TJv+qJ > 4xZ4tb90PbDc/ZrUjEUsTWoH+lgPzn8G8guIuiK/qGOWQStsE7TNnYIZ47Cnzyrm > Yy+zQ1YHTFvaFEUeNSkNDK97JG3DJX1RMWn9ZcpgbvBJ36DeRXofTgZImotRwpv+ > zR7I1gSt/gkKLH3HQl8n > =OVcJ > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
