ok I undertand. -> the session identifier should change to prevent session-fixation attacks.
but how I can set tomcat to regenerate id value? I was search document, but can't find it 2014-10-22 22:44 GMT+09:00 Christopher Schultz <ch...@christopherschultz.net >: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > 이강우, > > On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote: > > Environment - openjdk 1.7 - tomcat 7.0.55 with native connector - > > apache 2.4.10 with mod-jk 1.2.40 > > > > 1. Tomcat start 2. Client request -> JSESSIONID is null 3. tomcat > > response -> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create > > 4. refresh page -> session attribute(name=count, value=count++) is > > correct. count is increasing. > > Good so far. > > > 5. Tomcat stop -> start (restart) context setting is session is > > not persist > > Okay. > > > 6. Client refresh -> client request is send > > JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session > > attribute(name=count, value=0) is reset. but keeping JSESSIONID > > > > question. why tomcat using JSESSIONID set by client request value? > > is not regenerate? > > If the client requests a session by id, Tomcat will try to give it to > them. If it doesn't exist, it will use that session identifier for the > new session. > > Did the user actually authenticate with Tomcat? Or just get an > anonymous session? If the user authenticates with Tomcat, the session > identifier should change to prevent session-fixation attacks. > > > is this java spec? > > I believe the spec says nothing about the generation of session ids. > Even the above session-fixation behavior is outside of the spec (but > definitely does not violate it). > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUR7S/AAoJEBzwKT+lPKRYdT4P/3HHrY/yEJmZUWFuyAlAIgkG > J14ix608FsWkGtsIKwh7RxgArSx3eH7niswJ8FxHljZJQThlasInz8SJlFzGYBvA > +++56BziHVRAc+vn00/yOjzO+GW73fm+vjcnL/i6tIYLiX3YT2qd+iWV34YYBnVJ > X0ZS6Kz2+YmkbzN9ccGp8ZWq51jqZtVsPSzEpKmdp2mf2s48O3cQlCNiw6Q5CVCr > a0IU//ciwnkF50l5T2h4oZOV0L0ZraPgbAzf2lNpazNjSnAF3DpG2uVJc9OLIZXy > ZBA3SM+MoLiYDbR5Wv02zx1ifDraMMrVSfeYL6zEpz5tIqeJ4wYSf2iyrkzG2fOr > lnCdVDh1s2hRuVOsQlh8UkG86NQecc8eK6QCCviT5bSS02KK202+i/Z8uW8h4SVT > wMyNv4vsPBgCauM5mugWiTu8T1Ae8fqIznXOImal7sVyQrE20mePkhEo6LqD6NXf > loY55Uul/m0x52fL3/Z9czkJaWhOVd6bRdYgZH/g90CvPVzQZhBBwS15FTgjsxMU > /IslHCv+u3aOr5HxwW4Rl83ifFM2b0tf/X/VKAqRekgz6OJF1HP4J4HN79ecdC/J > +R+J5eo/L5hlbUbbWaH86X7Qm6rG7XoDwkaFA+6AkDfw/2/Whv11a3C8OlLhltKY > oqUECCMeOaec6twMZLG4 > =3oOa > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
