I should also mention that after some very simple testing I was able to confirm that (of course) Tomcat is notifying my application when the session is invalidated in a valve. I'm still fairly new to this entire stack, so forgive my ignorance. :-)
Cheers. On Fri, Mar 14, 2014 at 9:46 AM, Joesph Bleau <jbl...@systemsinmotion.com>wrote: > It's possible (read: likely) that we're doing something incorrectly, but > we're using Spring and it was already attempting to provide session > fixation within the application by invalidating sessions upon > authentication. However, it appears that tomcat was providing us with the > same session ID for our new session. I've scoured the internet and I've > seen that I'm not the first person to have this problem, but there was no > definitive solution available. I ultimately settled on invalidating the > session in the valve which appeared to work, tomcat didn't provide the same > ID here. > > > On Fri, Mar 14, 2014 at 8:37 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Joseph, >> >> On 3/14/14, 5:59 AM, Joesph Bleau wrote: >> > Right now we're running our application in Tomcat and using >> > hazelcast to share information across our multiple instances. In an >> > attempt to prevent session fixation I implemented a tomcat valve >> > which invalidates sessions when a user authenticates (or in this >> > case, just visits the authentication endpoints). This is causing an >> > issuue where our application proper isn't getting notified of >> > invalidated sessions and they're hanging around in the hazelcast >> > map. >> >> Any reason not to trust Tomcat's session-fixation prevention (which >> implements session-id changing, and already works across a cluster). >> >> > I tried everything I could to fix the session fixation problem >> > within the scope of my application but no matter what I did it >> > seemed like tomcat would persist a users session even after >> > invalidating it, so this was my solution, and of course I face an >> > equally annoying and difficult problem. >> > >> > We're using tomcat7, apache 2.2 / mod_jk to load balance, spring >> > 3.1, and hazelcast 2.2 >> > >> > Any and all advice / tips / scorn appreciated. :-) Joseph Bleau >> > >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQIcBAEBCAAGBQJTIvgTAAoJEBzwKT+lPKRYrZ4P/1JoIjq6O2SMw5XGgn2E8kWC >> 6hG//ZnHRgFR82EVSq+lydre2yFwMeA4kf9WjtKwuNwIdaCJSK2gYBgeHyKhxtCs >> Sakux63pRpRzba3RlvSlHuM30AN4+tbFrVLO/HWWCyBujI1iLppnILzi/iSsy0nK >> VX+DtfeqV5BnvNJMG0G77IB9KOaft5Dm+wJ443Yv8sJPpxwbQUh+siJP5+fsqLA1 >> c6MISdBMTRlFGhkEuaQKVtvXxpPn9Hjiv6s16fVlYOQzX+UTMCPA5c22P74zuYm/ >> VPG1T46fcf7J+4P/vkdM3X/6ecaPB4bgX4t5IKCPmAoFZ5Ou7K8DbKI2OlP/iCNh >> /yLmsmYdY4YSSKQiN6HnHMh03uMy4q4Ah/hgz9LkxXm1DHdC7A7YRb3rJ6ES6fls >> aYl8Ekq7TNmLYAu0/92Su9qxTIA90g/ii5POe6jDP/1QlXInqB+nRJbbgIdvu1uA >> sb2TC4Nb5hhVKZKKRpHIvvDCoilFhmQdgrsPWOM/+0WcFMvzHwCPYBuAk7TJv+qJ >> 4xZ4tb90PbDc/ZrUjEUsTWoH+lgPzn8G8guIuiK/qGOWQStsE7TNnYIZ47Cnzyrm >> Yy+zQ1YHTFvaFEUeNSkNDK97JG3DJX1RMWn9ZcpgbvBJ36DeRXofTgZImotRwpv+ >> zR7I1gSt/gkKLH3HQl8n >> =OVcJ >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
