portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Sean Taylor (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] [Created] (JS2-1359) Retain Session on Login Feature broken
Date Thu, 30 Nov 2017 19:05:00 GMT
David Sean Taylor created JS2-1359:
--------------------------------------

             Summary: Retain Session on Login Feature broken
                 Key: JS2-1359
                 URL: https://issues.apache.org/jira/browse/JS2-1359
             Project: Jetspeed 2
          Issue Type: Bug
          Components: Security
    Affects Versions: 2.3.1
            Reporter: David Sean Taylor
            Assignee: David Sean Taylor
             Fix For: 2.3.2


With Tomcat 6, keeping the same session from guest state to logged in state was default behavior.
With Tomcat 7, to address Session Fixation attacks, this behavior was locked down, see:

https://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomcat-7-The-New-and-the-Improved.htm

Tomcat 7 and 8 suports a setting in context.xml to configure this behavior:

https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html

changeSessionIdOnAuthentication	

Controls if the session ID is changed if a session exists at the point where users are authenticated.
This is to prevent session fixation attacks. If not set, the default value of true will be
used.

<Valve className="org.apache.catalina.authenticator.FormAuthenticator" characterEncoding="UTF-8"
changeSessionIdOnAuthentication="false"/>





--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message