> -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Friday, April 09, 2010 8:06 AM > To: Tomcat Users List > Subject: Re: Tomcat 6.0.24 requires me to log on twice > On 08/04/2010 23:34, Christopher Schultz wrote: > >> This happens on Tomcat 6.0.24 and 6.0.26, but not 6.0.20, > which makes me > >> think it is related to change 45255 (Provide protection > against session > >> fixation by changing session ID automatically on > authentication.), in > >> the dev environment tomcat is running on windows XP. > Session tracking is > >> done by cookie, not URL rewriting. > > > > I haven't read the actual patch that added this session-id > switching but > > it's not clear if it's configurable. Mark said he'd likely > make this an > > option that defaults to "off". > > Security trumped compatibility in this case and it defaults to on. > Nothing stopping you turning it off though. > > I'd note that apps that have issues with this behaviour are likely to > have issues with load-balancing, sticky sessions and fail-over as > exactly the same code is used to change the session ID on fail-over. > > Mark
This doesn't affect me, but I can see it being a problem for others (unless, of course, the cause is our application doing something very strange). The problem seems to occur if there are any restricted resources within a page - it doesn't seems too outlandish for someone to restrict access to their images folder (say, it has client logos in it and they are required to be a bit paranoid about their client list). I have a workaround that will work for some people in this situation - require all logons to go through index.jsp (or whatever) and have this be a page that just shows a 'loading...' animated image (or whatever) - but this doesn't work if you want to be able to bookmark pages within your site. Terry _______________________________________ The information contained in this message is confidential and is intended for the addressee only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. This mail and any attachments have been scanned for viruses prior to leaving the Dancerace network. Dancerace plc will not be liable for direct, special, indirect or consequential damages arising from the alteration of the contents of this message by a third party or as a result of any virus being passed on. Dancerace plc reserve the right to monitor and record e-mail messages sent to and from this address for the purpose of investigating or detecting any unauthorised use of its system and ensuring its effective operation. _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/
****** Message from InterScan VirusWall 6 ****** ** No virus found in attached file noname.htm InterScan VirusWall 6 has scanned this message and found it to be free of known viruses. ***************** End of message ***************
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
