Am 11.01.16 um 12:21 schrieb André Warnier (tomcat):
So the solution in your case, is to make sure, in your application
logic, that the first unauthenticated request would be totally processed
by the server, and the response processed by the client, before the
client sends a second request.
If you do this, then the second client request /will/ contain the /same/
authentication token as the first request, and you will not have this
problem.

How to achieve this, is left as an exercise for the reader.

This means changing all browsers to submit only one concurrent request if the server is Apache Tomcat? Really?

<Valve className="org.apache.catalina.authenticator.BasicAuthenticator"
  changeSessionIdOnAuthentication="false" />

Found on http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection the description how to switch the "feature" off.

I will file two bugs soon describing the issues I had. Hopefully they will be fixed.

1.) if using HttpServetRequest.login(String, String) further request in the session are loosing the users Principal.

2.) After changing sessionId, old sessionIds should still be valid for a short period of time of to the same client.

Fixing one of these would cause the bug to disappear.

To prevent session fixation attacks, I use IP address checking so that sessions are bound to the same IP address.

Thanks to all the responses. Without you help it would have not been possible to get this fixed after two month of searching!

kind regards,

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to