portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Sean Taylor (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] [Resolved] (JS2-1359) Retain Session on Login Feature broken
Date Thu, 30 Nov 2017 19:10:00 GMT

     [ https://issues.apache.org/jira/browse/JS2-1359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Sean Taylor resolved JS2-1359.
------------------------------------
    Resolution: Fixed

provided example changeSessionIdOnAuthentication attribute in context.xml, but defaulted it
to secure setting of true. If you need the old behavior, set changeSessionIdOnAuthentication=false

> Retain Session on Login Feature broken
> --------------------------------------
>
>                 Key: JS2-1359
>                 URL: https://issues.apache.org/jira/browse/JS2-1359
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.3.1
>            Reporter: David Sean Taylor
>            Assignee: David Sean Taylor
>             Fix For: 2.3.2
>
>
> With Tomcat 6, keeping the same session from guest state to logged in state was default
behavior. With Tomcat 7, to address Session Fixation attacks, this behavior was locked down,
see:
> https://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomcat-7-The-New-and-the-Improved.htm
> Tomcat 7 and 8 suports a setting in context.xml to configure this behavior:
> https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html
> changeSessionIdOnAuthentication	
> Controls if the session ID is changed if a session exists at the point where users are
authenticated. This is to prevent session fixation attacks. If not set, the default value
of true will be used.
> <Valve className="org.apache.catalina.authenticator.FormAuthenticator" characterEncoding="UTF-8"
changeSessionIdOnAuthentication="false"/>



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message