Would anybody be surprised if I mentioned that we're running an outdated of tomcat? Thanks for the tip. I'm going to remove Spring's session fixation prevention strategy, and also remove the custom valve I had written and upgrade to a version unaffected by this and test. This is going to alleviate a lot of headache (well, until I tell our managers that we need to upgrade Tomcat as a part of our next deploy... :P)
On Fri, Mar 14, 2014 at 11:28 AM, Konstantin Kolinko <knst.koli...@gmail.com > wrote: > 2014-03-14 19:04 GMT+04:00 Christopher Schultz < > ch...@christopherschultz.net>: > > Joseph, > > > > On 3/14/14, 9:49 AM, Joesph Bleau wrote: > >> I should also mention that after some very simple testing I was > >> able to confirm that (of course) Tomcat is notifying my application > >> when the session is invalidated in a valve. I'm still fairly new to > >> this entire stack, so forgive my ignorance. :-) > > > > No problem. Tomcat does in fact change the session id, but only > > *after* a successful authentication (but before the session is blessed > > with authentication information). I believe you said something about > > changing the session id when the user accesses the login page -- > > regardless of whether the authentication attempt is successful. Tomcat > > doesn't do that. > > Tomcat does that. > > For FORM authentication the session id is changed twice. This security > feature is CVE-2013-2067. > > > Mark does a good job describing the whole situation here: > > http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection > > > > Best regards, > Konstantin Kolinko > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >