portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Sean Taylor (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] [Resolved] (JS2-1359) Retain Session on Login Feature broken
Date Thu, 30 Nov 2017 19:10:00 GMT

     [ https://issues.apache.org/jira/browse/JS2-1359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

David Sean Taylor resolved JS2-1359.
    Resolution: Fixed

provided example changeSessionIdOnAuthentication attribute in context.xml, but defaulted it
to secure setting of true. If you need the old behavior, set changeSessionIdOnAuthentication=false

> Retain Session on Login Feature broken
> --------------------------------------
>                 Key: JS2-1359
>                 URL: https://issues.apache.org/jira/browse/JS2-1359
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.3.1
>            Reporter: David Sean Taylor
>            Assignee: David Sean Taylor
>             Fix For: 2.3.2
> With Tomcat 6, keeping the same session from guest state to logged in state was default
behavior. With Tomcat 7, to address Session Fixation attacks, this behavior was locked down,
> https://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomcat-7-The-New-and-the-Improved.htm
> Tomcat 7 and 8 suports a setting in context.xml to configure this behavior:
> https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html
> changeSessionIdOnAuthentication	
> Controls if the session ID is changed if a session exists at the point where users are
authenticated. This is to prevent session fixation attacks. If not set, the default value
of true will be used.
> <Valve className="org.apache.catalina.authenticator.FormAuthenticator" characterEncoding="UTF-8"

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message