portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Sean Taylor (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] [Created] (JS2-1359) Retain Session on Login Feature broken
Date Thu, 30 Nov 2017 19:05:00 GMT
David Sean Taylor created JS2-1359:

             Summary: Retain Session on Login Feature broken
                 Key: JS2-1359
                 URL: https://issues.apache.org/jira/browse/JS2-1359
             Project: Jetspeed 2
          Issue Type: Bug
          Components: Security
    Affects Versions: 2.3.1
            Reporter: David Sean Taylor
            Assignee: David Sean Taylor
             Fix For: 2.3.2

With Tomcat 6, keeping the same session from guest state to logged in state was default behavior.
With Tomcat 7, to address Session Fixation attacks, this behavior was locked down, see:


Tomcat 7 and 8 suports a setting in context.xml to configure this behavior:



Controls if the session ID is changed if a session exists at the point where users are authenticated.
This is to prevent session fixation attacks. If not set, the default value of true will be

<Valve className="org.apache.catalina.authenticator.FormAuthenticator" characterEncoding="UTF-8"

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message