-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 이강우,
On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote: > Environment - openjdk 1.7 - tomcat 7.0.55 with native connector - > apache 2.4.10 with mod-jk 1.2.40 > > 1. Tomcat start 2. Client request -> JSESSIONID is null 3. tomcat > response -> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create > 4. refresh page -> session attribute(name=count, value=count++) is > correct. count is increasing. Good so far. > 5. Tomcat stop -> start (restart) context setting is session is > not persist Okay. > 6. Client refresh -> client request is send > JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session > attribute(name=count, value=0) is reset. but keeping JSESSIONID > > question. why tomcat using JSESSIONID set by client request value? > is not regenerate? If the client requests a session by id, Tomcat will try to give it to them. If it doesn't exist, it will use that session identifier for the new session. Did the user actually authenticate with Tomcat? Or just get an anonymous session? If the user authenticates with Tomcat, the session identifier should change to prevent session-fixation attacks. > is this java spec? I believe the spec says nothing about the generation of session ids. Even the above session-fixation behavior is outside of the spec (but definitely does not violate it). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUR7S/AAoJEBzwKT+lPKRYdT4P/3HHrY/yEJmZUWFuyAlAIgkG J14ix608FsWkGtsIKwh7RxgArSx3eH7niswJ8FxHljZJQThlasInz8SJlFzGYBvA +++56BziHVRAc+vn00/yOjzO+GW73fm+vjcnL/i6tIYLiX3YT2qd+iWV34YYBnVJ X0ZS6Kz2+YmkbzN9ccGp8ZWq51jqZtVsPSzEpKmdp2mf2s48O3cQlCNiw6Q5CVCr a0IU//ciwnkF50l5T2h4oZOV0L0ZraPgbAzf2lNpazNjSnAF3DpG2uVJc9OLIZXy ZBA3SM+MoLiYDbR5Wv02zx1ifDraMMrVSfeYL6zEpz5tIqeJ4wYSf2iyrkzG2fOr lnCdVDh1s2hRuVOsQlh8UkG86NQecc8eK6QCCviT5bSS02KK202+i/Z8uW8h4SVT wMyNv4vsPBgCauM5mugWiTu8T1Ae8fqIznXOImal7sVyQrE20mePkhEo6LqD6NXf loY55Uul/m0x52fL3/Z9czkJaWhOVd6bRdYgZH/g90CvPVzQZhBBwS15FTgjsxMU /IslHCv+u3aOr5HxwW4Rl83ifFM2b0tf/X/VKAqRekgz6OJF1HP4J4HN79ecdC/J +R+J5eo/L5hlbUbbWaH86X7Qm6rG7XoDwkaFA+6AkDfw/2/Whv11a3C8OlLhltKY oqUECCMeOaec6twMZLG4 =3oOa -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
