2010/11/29 Christopher Schultz <ch...@christopherschultz.net> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Andrea, > > On 11/29/2010 9:37 AM, Andrea Corti wrote: > > In order to avoid session fixation in the login phase of our application > > we have to invalidate the session. > > As you may have noted, Tomcat has implemented this behavior and you > shouldn't have to worry about it. > > > But we found the issue reported in the following bug (marked as solved) > > related to Tomcat &.0.28: > > > > https://issues.apache.org/bugzilla/show_bug.cgi?id=49598 > > That would be the one. > > > I'm using tomcat 6.0.29 (under win XP and linux CentOS) where the issue > is > > marked as resolved but i can replicate it every time. > > Okay, how are you replicating it and what are your results? > > > If it can be helpful i'm in a servlet in an https connection (without any > > framework or similar). > > I discovered that on http call the session is correctly renewed but on > https > > it is not. > > Interesting. > > > Follows an extract form a test servlet: > > HttpSession s = req.getSession(); > > if (s==null) { > > System.out.println(mt+":Session is null"); > > } else { > > System.out.println(mt+":Session id="+s.getId()+"\t > > New="+s.isNew()); > > } > > System.out.println("pre- invalidate"); > > s.invalidate(); > > System.out.println("post- invalidate: id="+s.getId()); > > s = req.getSession(true); > > System.out.println("post- get new: id="+s.getId()); > > Okay, what does the above servlet print when you access it via HTTP, and > then access it via HTTPS? >
HTTP Output: POST:Session id=F5FAF6115F7BA37ECDA22299C9B3B4BC New=true pre- invalidate sessionDestroyed [F5FAF6115F7BA37ECDA22299C9B3B4BC] <-- this log is printed by a HttpSessionListener post- invalidate: id=F5FAF6115F7BA37ECDA22299C9B3B4BC sessionCreated [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is printed by a HttpSessionListener post- get new: id=36BA1CCC7AEC8A9808027D57B6A5A52A We can notice that the session id after the GetSession(true) is different from the previous one. HTTPS Output: POST:Session id=36BA1CCC7AEC8A9808027D57B6A5A52A New=false pre- invalidate sessionDestroyed [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is printed by a HttpSessionListener post- invalidate: id=36BA1CCC7AEC8A9808027D57B6A5A52A sessionCreated [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is printed by a HttpSessionListener post- get new: id=36BA1CCC7AEC8A9808027D57B6A5A52A In this case the session id is always the same! Can someone suggest a way to avoid such issue? I saw that between release 28 and 29 the following class has been changed but i'm not able to debug it. java\org\apache\catalina\connector\Response.java (method addSessionCookieInternal) Thanks. Andrea > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkzz210ACgkQ9CaO5/Lv0PA0gACeOXNvdinscHW4m2zogNdFrYA3 > qbcAnjrtZAJyjJIh/Hhq77B1ClkVnLdG > =maAw > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
