-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Akash,
On 5/8/14, 9:56 PM, Akash Jain wrote: > Hi, > > I am trying to resolve session fixation issue with tomcat 7.0.52 > > We have a Spring MVC application running on it, and the Auth method > is provided by another application which writes cookie, and we use > the cookie value to check whether the user is valid or not. > > My application URL patterns are / - Home page /login - Redirect to > another application to ask user to authenticate /myaccess/user*** > --> All authenticated URL's > > <Context path="" docBase="myapplication" > sessionCookieName="mycookiename" > sessionCookieDomain="application.mydomain.com > sessionCookiePath="/"> > > As I cannot use org.apache.catalina.authenticator.FormAuthenticator > here. > > How can i prevent the session fixation ? If you are managing the authentication yourself, then you'll have to handle (mitigate) session fixation yourself, too. You can invalidate and create a new session in the same request, if you want. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTeNMIAAoJEBzwKT+lPKRYje4P/i1LD+r06I1VuI6jtFAzM/0k Ow/HyXyyFRIq3zz1+LUQ8ys2PEROTw+E7q3NzLvBb8e6Vngc2vWBoRq7jps1r4Jq h/5Cd4k7DI5V5dlPFph7nHNXwKbGgRtCamvhwC/fQFlZxwvGTOfAyxeYLT42k3zF x3HkesQSI9F4hfy9VzQ8977cTICUI8bz5pUksRccN9uFJ5A1V18vdjDEJ7hWkS8K V5lPr0VlZ9XzNOZ9conQYoZnuOzvl9l73QECTJi8jSPeVHGGEFcQmVE2KCxExx4u qqN0twycISY/TrLxt74WkiJseljzr+QXZUjFHIlaepU62/pVmOwBQHs9bs1e7jHo YNSY/8g+W0nKvLexgULJw1FBpxlq2LcTtkRzPDPEuTp0OlE583bPufxd+LaoLwL3 uWEtkhMSNiMsChyCigBsaZZVhkY8DzmSQ2SYpZmGx3suyJmllt/yiET+vc2uRAxn 6iBKvrSrwzDnqwpMpeowpU69n5v12+yRNts5PCOksLJ61TDV59C2AvUE3CWJI417 M163/01GEF9yux5/7cm7jYJpEDdqS3+y1vLC4E9I7BXkpLuuPmVAUcbl7VPVl12X h5wZsbdFX9xZsIoDPkLlZv8+0ugp/BlLwVqNRNfnNusLQl4OHF/hlj1eWIDBQsEJ G8FbWFqolK+tUemVOO1v =UHeH -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org