On Fri, Feb 19, 2010 at 12:02:18PM +0000, iainmac wrote:
>
> Hi,
>
> I have just moved from 5.0.18 to 6.0.24 using JSSE for SSL.
>
> I have a web application that checks for a current session, and if there
> isn't one it sends the user to a login screen. This is working fine from
> Explorer as it did before in the previous version of Tomcat, but it keeps
> saying the session is new in Firefox, Safari and Chrome.
>
> In the jsp, this keeps taking me back to the login screen...
>
> if (session.getAttribute("userName")==null){
> response.sendRedirect("login.jsp");
> return;
> }
>
> Why would Explorer work and the others not?
>
> Thanks,
>
> Iain
You might want to review new protection Tomcat has against session
fixation, which was done in 6.0.21.
http://issues.apache.org/bugzilla/show_bug.cgi?id=45255
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
