session regeneration in tomcat ?
Posted
by shrini1000
on Stack Overflow
See other posts from Stack Overflow
or by shrini1000
Published on 2010-06-10T05:34:24Z
Indexed on
2010/06/10
5:43 UTC
Read the original article
Hit count: 388
Hi, I am using Spring security to secure my Java web application which is deployed in tomcat. I found out that it is vulnerable to session fixation attacks because tomcat does not create a new session upon successful log in. On debugging some more, here's what I found. For the following code (which is supposed to create a new session - pl. note, it's just a snippet and not full code):
HttpSession session = request.getSession(false);
session.invalidate();
session = request.getSession(true); // we now have a new session
I thought a new session will be created, but tomcat simply uses the same session that got invalidated and hence the session id does not change.
I searched online and found a solution which uses a 'valve' - http://marvinsmutterings.blogspot.com/2010/02/fixing-session-fixation-in-liferay-on.html
but could not get it to work because it's looking for a jboss logging class and when I add it to lib, I get a reflection exception and the server doesn't start up.
I'm using tomcat 5.5.28. Will be glad to have any pointers. Pl. let me know if you need more details, since I don't want to make this post too long.
Sincere thanks!
© Stack Overflow or respective owner