session regeneration in tomcat ?

Posted by shrini1000 on Stack Overflow See other posts from Stack Overflow or by shrini1000
Published on 2010-06-10T05:34:24Z Indexed on 2010/06/10 5:43 UTC
Read the original article Hit count: 357

Filed under:

session

|

tomcat

Hi, I am using Spring security to secure my Java web application which is deployed in tomcat. I found out that it is vulnerable to session fixation attacks because tomcat does not create a new session upon successful log in. On debugging some more, here's what I found. For the following code (which is supposed to create a new session - pl. note, it's just a snippet and not full code):

HttpSession session = request.getSession(false); session.invalidate(); session = request.getSession(true); // we now have a new session

I thought a new session will be created, but tomcat simply uses the same session that got invalidated and hence the session id does not change.

I searched online and found a solution which uses a 'valve' - http://marvinsmutterings.blogspot.com/2010/02/fixing-session-fixation-in-liferay-on.html

but could not get it to work because it's looking for a jboss logging class and when I add it to lib, I get a reflection exception and the server doesn't start up.

I'm using tomcat 5.5.28. Will be glad to have any pointers. Pl. let me know if you need more details, since I don't want to make this post too long.

Sincere thanks!

© Stack Overflow or respective owner

Related posts about session

any clue in these logs why keyboard audio and internet are messed up

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
Jun 7 00:01:18 Isis lightdm: pam_unix(lightdm-autologin:session): session opened for user mimi by (uid=0) Jun 7 00:01:18 Isis lightdm: pam_ck_connector(lightdm-autologin:session): nox11 mode, ignoring PAM_TTY :0 Jun 7 00:01:26 Isis polkitd(authority=local): Registered Authentication Agent for… >>> More
session variables lost between pages or use same variables

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, Yesterday I learn many thing from you, especially from Marc and my problem was solved ( session variables lost between pages or use same variables ). But now I continue asking: I don't want to use Session ID(session.use_trans_sid = 1) between pages. But also I don't want to use same session… >>> More
WTSQuerySessionInformation returning empty strings

as seen on Stack Overflow - Search for 'Stack Overflow'
I've written a program which should query the Terminal Services API and print out some state information about the sessions running on a terminal services box. I'm using the WTSQuerySessionInformation function to do this and it's returning some data but most of the data seems to be missing... Does… >>> More
Can I set Session timeout for a specified Session variable differently than other Session Variables

as seen on Stack Overflow - Search for 'Stack Overflow'
I'd like to set the timeout on a specific Session Variable in a .Net web application, but leave other Session variables alone. Is this possible? Example: I have 5 Session Variables Session(var1) Session(var2) Session(var3) Session(var4) Session(var5) I want to set it so that Session(var1) through… >>> More
PHP upgrade to 5.3 from 5.2, sessions no longer get stored

as seen on Server Fault - Search for 'Server Fault'
background link: http://stackoverflow.com/questions/7014945/php-upgrade-5-2-to-5-3-session-issue I have upgraded PHP on my 2008 std server from PHP 5.2 to PHP 5.3. Following the upgrade, sessions no longer work correctly. I have copied over the settings from my PHP.ini files which are applicable… >>> More

Related posts about tomcat

SSL in tomcat with apr and Centos 6

as seen on Super User - Search for 'Super User'
I'm facing a problem setting up my tomcat with apr native lib, I have the following: Tomcat: 7.0.42 Java: 1.7.0_40-b43 OS: Centos 6.4 (2.6.32-358.18.1.el6.i686) APR: 1.3.9 Native lib: 1.1.27 OpenSSL: openssl-1.0.0-27.el6_4.2.i686 My server.xml looks like: ... <Listener className="org.apache… >>> More
Apache+Tomcat VS Stand Alone Tomcat or GlassFish

as seen on Server Fault - Search for 'Server Fault'
Hi, I am setting up a Debian server to serve Java web applications. I have done quite a bit of research for several weeks now. Tomcat's web site says it is better to use stand alone Tomcat for speed if you are not clustering. However, I have seen many people suggest that using Apache + Tomcat… >>> More
Tomcat - How to limit the maximum memory Tomcat will use

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi Guys, I am running Tomcat on a small VPS (256MB/512MB) and I want to explicitly limit the amount of memory Tomcat uses. I understand that I can configure this somehow by passing in the java maximum heap and initial heap size arguments; -Xmx256m -Xms128m But I can't find where to put this… >>> More
Tomcat 4.1.X and Tomcat 5.0.X

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a problem about tomcat, Our application designed on Tomcat 4.1.X and When I restart Tomcat 4.1.X there is no problem. But I upgrade it to Tomcat 5.0.X. Now ,when I restart Tomcat 5.0.X session is down and application redirect me to login page. Any idea? >>> More
Restarting Tomcat from Tomcat itself

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, is it possible to restart Tomcat6 by executing a JSP? This because I would like to deploy the changes of an application by doing it remotely using the webserver. The deploy script is written in bash and it checkouts the latest version from the svn, then package it as a war, then copy it in… >>> More