On 11/01/2016 20:52, Thomas Scheffler wrote: > Am 11.01.16 um 12:21 schrieb André Warnier (tomcat): >> So the solution in your case, is to make sure, in your application >> logic, that the first unauthenticated request would be totally processed >> by the server, and the response processed by the client, before the >> client sends a second request. >> If you do this, then the second client request /will/ contain the /same/ >> authentication token as the first request, and you will not have this >> problem. >> >> How to achieve this, is left as an exercise for the reader. > > This means changing all browsers to submit only one concurrent request > if the server is Apache Tomcat? Really?
No, it simply means you have to construct your application in a sane manner so the client won't issue parallel requests for protected resources. > > <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" > changeSessionIdOnAuthentication="false" /> > > Found on > http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection > the description how to switch the "feature" off. > > I will file two bugs soon describing the issues I had. Hopefully they > will be fixed. > > 1.) if using HttpServetRequest.login(String, String) further request in > the session are loosing the users Principal. > > 2.) After changing sessionId, old sessionIds should still be valid for a > short period of time of to the same client. The second request will get closed as INVALID on security grounds. If the old ID is valid for any period of time it makes a session fixation attack possible. You might as well disable changing the session ID on authentication. For the first the description above isn't clear enough to be sure exactly what you are asking for. However, based on the second request and what I have read of this thread I suspect that request will get closed as INVALID or WONTFIX. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
