session regeneration in tomcat ?

Posted by shrini1000 on Stack Overflow See other posts from Stack Overflow or by shrini1000
Published on 2010-06-10T05:34:24Z Indexed on 2010/06/10 5:43 UTC
Read the original article Hit count: 388

Filed under:
|

Hi, I am using Spring security to secure my Java web application which is deployed in tomcat. I found out that it is vulnerable to session fixation attacks because tomcat does not create a new session upon successful log in. On debugging some more, here's what I found. For the following code (which is supposed to create a new session - pl. note, it's just a snippet and not full code):

HttpSession session = request.getSession(false);
session.invalidate();
session = request.getSession(true); // we now have a new session

I thought a new session will be created, but tomcat simply uses the same session that got invalidated and hence the session id does not change.

I searched online and found a solution which uses a 'valve' - http://marvinsmutterings.blogspot.com/2010/02/fixing-session-fixation-in-liferay-on.html

but could not get it to work because it's looking for a jboss logging class and when I add it to lib, I get a reflection exception and the server doesn't start up.

I'm using tomcat 5.5.28. Will be glad to have any pointers. Pl. let me know if you need more details, since I don't want to make this post too long.

Sincere thanks!

© Stack Overflow or respective owner

Related posts about session

Related posts about tomcat