You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "이강우 (KangWoo Lee)" <ko...@gmail.com> on 2014/10/22 10:41:24 UTC
is normal keep value when tomcat restart after JSESSIONID was create?
Environment - openjdk 1.7 - tomcat 7.0.55 with native connector - apache
2.4.10 with mod-jk 1.2.40
1. Tomcat start
2. Client request -> JSESSIONID is null
3. tomcat response -> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is
create
4. refresh page -> session attribute(name=count, value=count++) is
correct. count is increasing.
5. Tomcat stop -> start (restart) context setting is session is not
persist
6. Client refresh -> client request is send
JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98
7. session attribute(name=count, value=0) is reset. but keeping
JSESSIONID
question. why tomcat using JSESSIONID set by client request value? is not
regenerate?
is this java spec?
thanks.
Re: is normal keep value when tomcat restart after JSESSIONID was create?
Posted by "이강우 (KangWoo Lee)" <ko...@gmail.com>.
I found a causes. set the context attribute sessioncookiepath="/" is same
affect of emptysessionpath. tomcat document says if set emptysessionpath
then yomcat using session id value of client request.
I solve it. thanks to your comment.
2014. 10. 24. 오전 12:42에 "Christopher Schultz" <ch...@christopherschultz.net>님이
작성:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> 이강우,
>
> On 10/23/14 1:56 AM, 이강우(KangWoo Lee) wrote:
> > ok I undertand.
> >
> > -> the session identifier should change to prevent session-fixation
> > attacks.
> >
> > but how I can set tomcat to regenerate id value? I was search
> > document, but can't find it
>
> I'm not sure what you are asking. Can you ask in a different way? Do
> you want Tomcat to reject the requested (invalid) session id and
> generate a new one instead?
>
> - -chris
>
> > 2014-10-22 22:44 GMT+09:00 Christopher Schultz
> > <chris@christopherschultz.net
> >> :
> >
> > 이강우,
> >
> > On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote:
> >>>> Environment - openjdk 1.7 - tomcat 7.0.55 with native
> >>>> connector - apache 2.4.10 with mod-jk 1.2.40
> >>>>
> >>>> 1. Tomcat start 2. Client request -> JSESSIONID is null 3.
> >>>> tomcat response ->
> >>>> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create 4.
> >>>> refresh page -> session attribute(name=count, value=count++)
> >>>> is correct. count is increasing.
> >
> > Good so far.
> >
> >>>> 5. Tomcat stop -> start (restart) context setting is session
> >>>> is not persist
> >
> > Okay.
> >
> >>>> 6. Client refresh -> client request is send
> >>>> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session
> >>>> attribute(name=count, value=0) is reset. but keeping
> >>>> JSESSIONID
> >>>>
> >>>> question. why tomcat using JSESSIONID set by client request
> >>>> value? is not regenerate?
> >
> > If the client requests a session by id, Tomcat will try to give it
> > to them. If it doesn't exist, it will use that session identifier
> > for the new session.
> >
> > Did the user actually authenticate with Tomcat? Or just get an
> > anonymous session? If the user authenticates with Tomcat, the
> > session identifier should change to prevent session-fixation
> > attacks.
> >
> >>>> is this java spec?
> >
> > I believe the spec says nothing about the generation of session
> > ids. Even the above session-fixation behavior is outside of the
> > spec (but definitely does not violate it).
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUSSGuAAoJEBzwKT+lPKRYHZcP+weLH/AgmnVPs6dxiXG+Qjtg
> ndtap6eKAuys+LBmHYQCki780cmmnX0UZg8sEVENPJ+GSRRuni3/S8RwixTnA4Lv
> YbuEov2d0oxTI+ZzH0HSR40nYPSzKY3m/yzMlB4y+JrvA3ousxiIDZ07tkM6LvCq
> 6Cpn54Bd7InbHWJJJXNyn8iA+snxuJe1QfpxkiFVPrjgZgRFJfsOWCUHN6qsETYG
> EvydlCTR/9b2yPkqApEiYLULSG+K70Wtupp8pPB0jM0dP1i16qZa1SGMh79lP9kO
> FZ3H8PoPwnSluSRefyPnQgCTIWQEP89sJ4Q1fCCN4r/axUgyI6OEWuZ/MGOaN4yg
> Y37sUrcauRCy+Sfh8x7IIJpnVeOZcyPO4sDrmDjySTNKis5hdtpxwNuTY97XxHe+
> 2bD3jierVw05T4lj6zOraRo2yrzVVWujd1RUJ8vCMBnx6l3rvzxGp+10sUqePyeF
> nhc3rWg1vWcdxXDDJ8p853Xb5k1MuR1rQg2kJ9AWJDfMZULi80awPZYQuJOC9O/n
> TFGKcLsXM0xp6ND0ItdLgzTXlj8xhPDvNGp438KSD16ofm27dWM++btD4Ss3DoVs
> Vu+xwL2td0nx94+jEJgibi4SVCCVkgNzO5vu/uyxVFE1oBGxo6OSQTnp4UDc5KkY
> DQ2jHJBmVqVHwxOxS4j7
> =wFKq
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: is normal keep value when tomcat restart after JSESSIONID was
create?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
이강우,
On 10/23/14 1:56 AM, 이강우(KangWoo Lee) wrote:
> ok I undertand.
>
> -> the session identifier should change to prevent session-fixation
> attacks.
>
> but how I can set tomcat to regenerate id value? I was search
> document, but can't find it
I'm not sure what you are asking. Can you ask in a different way? Do
you want Tomcat to reject the requested (invalid) session id and
generate a new one instead?
- -chris
> 2014-10-22 22:44 GMT+09:00 Christopher Schultz
> <chris@christopherschultz.net
>> :
>
> 이강우,
>
> On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote:
>>>> Environment - openjdk 1.7 - tomcat 7.0.55 with native
>>>> connector - apache 2.4.10 with mod-jk 1.2.40
>>>>
>>>> 1. Tomcat start 2. Client request -> JSESSIONID is null 3.
>>>> tomcat response ->
>>>> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create 4.
>>>> refresh page -> session attribute(name=count, value=count++)
>>>> is correct. count is increasing.
>
> Good so far.
>
>>>> 5. Tomcat stop -> start (restart) context setting is session
>>>> is not persist
>
> Okay.
>
>>>> 6. Client refresh -> client request is send
>>>> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session
>>>> attribute(name=count, value=0) is reset. but keeping
>>>> JSESSIONID
>>>>
>>>> question. why tomcat using JSESSIONID set by client request
>>>> value? is not regenerate?
>
> If the client requests a session by id, Tomcat will try to give it
> to them. If it doesn't exist, it will use that session identifier
> for the new session.
>
> Did the user actually authenticate with Tomcat? Or just get an
> anonymous session? If the user authenticates with Tomcat, the
> session identifier should change to prevent session-fixation
> attacks.
>
>>>> is this java spec?
>
> I believe the spec says nothing about the generation of session
> ids. Even the above session-fixation behavior is outside of the
> spec (but definitely does not violate it).
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUSSGuAAoJEBzwKT+lPKRYHZcP+weLH/AgmnVPs6dxiXG+Qjtg
ndtap6eKAuys+LBmHYQCki780cmmnX0UZg8sEVENPJ+GSRRuni3/S8RwixTnA4Lv
YbuEov2d0oxTI+ZzH0HSR40nYPSzKY3m/yzMlB4y+JrvA3ousxiIDZ07tkM6LvCq
6Cpn54Bd7InbHWJJJXNyn8iA+snxuJe1QfpxkiFVPrjgZgRFJfsOWCUHN6qsETYG
EvydlCTR/9b2yPkqApEiYLULSG+K70Wtupp8pPB0jM0dP1i16qZa1SGMh79lP9kO
FZ3H8PoPwnSluSRefyPnQgCTIWQEP89sJ4Q1fCCN4r/axUgyI6OEWuZ/MGOaN4yg
Y37sUrcauRCy+Sfh8x7IIJpnVeOZcyPO4sDrmDjySTNKis5hdtpxwNuTY97XxHe+
2bD3jierVw05T4lj6zOraRo2yrzVVWujd1RUJ8vCMBnx6l3rvzxGp+10sUqePyeF
nhc3rWg1vWcdxXDDJ8p853Xb5k1MuR1rQg2kJ9AWJDfMZULi80awPZYQuJOC9O/n
TFGKcLsXM0xp6ND0ItdLgzTXlj8xhPDvNGp438KSD16ofm27dWM++btD4Ss3DoVs
Vu+xwL2td0nx94+jEJgibi4SVCCVkgNzO5vu/uyxVFE1oBGxo6OSQTnp4UDc5KkY
DQ2jHJBmVqVHwxOxS4j7
=wFKq
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: is normal keep value when tomcat restart after JSESSIONID was create?
Posted by "이강우 (KangWoo Lee)" <ko...@gmail.com>.
ok I undertand.
-> the session identifier should change to prevent session-fixation attacks.
but how I can set tomcat to regenerate id value?
I was search document, but can't find it
2014-10-22 22:44 GMT+09:00 Christopher Schultz <chris@christopherschultz.net
>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> 이강우,
>
> On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote:
> > Environment - openjdk 1.7 - tomcat 7.0.55 with native connector -
> > apache 2.4.10 with mod-jk 1.2.40
> >
> > 1. Tomcat start 2. Client request -> JSESSIONID is null 3. tomcat
> > response -> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create
> > 4. refresh page -> session attribute(name=count, value=count++) is
> > correct. count is increasing.
>
> Good so far.
>
> > 5. Tomcat stop -> start (restart) context setting is session is
> > not persist
>
> Okay.
>
> > 6. Client refresh -> client request is send
> > JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session
> > attribute(name=count, value=0) is reset. but keeping JSESSIONID
> >
> > question. why tomcat using JSESSIONID set by client request value?
> > is not regenerate?
>
> If the client requests a session by id, Tomcat will try to give it to
> them. If it doesn't exist, it will use that session identifier for the
> new session.
>
> Did the user actually authenticate with Tomcat? Or just get an
> anonymous session? If the user authenticates with Tomcat, the session
> identifier should change to prevent session-fixation attacks.
>
> > is this java spec?
>
> I believe the spec says nothing about the generation of session ids.
> Even the above session-fixation behavior is outside of the spec (but
> definitely does not violate it).
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUR7S/AAoJEBzwKT+lPKRYdT4P/3HHrY/yEJmZUWFuyAlAIgkG
> J14ix608FsWkGtsIKwh7RxgArSx3eH7niswJ8FxHljZJQThlasInz8SJlFzGYBvA
> +++56BziHVRAc+vn00/yOjzO+GW73fm+vjcnL/i6tIYLiX3YT2qd+iWV34YYBnVJ
> X0ZS6Kz2+YmkbzN9ccGp8ZWq51jqZtVsPSzEpKmdp2mf2s48O3cQlCNiw6Q5CVCr
> a0IU//ciwnkF50l5T2h4oZOV0L0ZraPgbAzf2lNpazNjSnAF3DpG2uVJc9OLIZXy
> ZBA3SM+MoLiYDbR5Wv02zx1ifDraMMrVSfeYL6zEpz5tIqeJ4wYSf2iyrkzG2fOr
> lnCdVDh1s2hRuVOsQlh8UkG86NQecc8eK6QCCviT5bSS02KK202+i/Z8uW8h4SVT
> wMyNv4vsPBgCauM5mugWiTu8T1Ae8fqIznXOImal7sVyQrE20mePkhEo6LqD6NXf
> loY55Uul/m0x52fL3/Z9czkJaWhOVd6bRdYgZH/g90CvPVzQZhBBwS15FTgjsxMU
> /IslHCv+u3aOr5HxwW4Rl83ifFM2b0tf/X/VKAqRekgz6OJF1HP4J4HN79ecdC/J
> +R+J5eo/L5hlbUbbWaH86X7Qm6rG7XoDwkaFA+6AkDfw/2/Whv11a3C8OlLhltKY
> oqUECCMeOaec6twMZLG4
> =3oOa
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: is normal keep value when tomcat restart after JSESSIONID was
create?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
이강우,
On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote:
> Environment - openjdk 1.7 - tomcat 7.0.55 with native connector -
> apache 2.4.10 with mod-jk 1.2.40
>
> 1. Tomcat start 2. Client request -> JSESSIONID is null 3. tomcat
> response -> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create
> 4. refresh page -> session attribute(name=count, value=count++) is
> correct. count is increasing.
Good so far.
> 5. Tomcat stop -> start (restart) context setting is session is
> not persist
Okay.
> 6. Client refresh -> client request is send
> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session
> attribute(name=count, value=0) is reset. but keeping JSESSIONID
>
> question. why tomcat using JSESSIONID set by client request value?
> is not regenerate?
If the client requests a session by id, Tomcat will try to give it to
them. If it doesn't exist, it will use that session identifier for the
new session.
Did the user actually authenticate with Tomcat? Or just get an
anonymous session? If the user authenticates with Tomcat, the session
identifier should change to prevent session-fixation attacks.
> is this java spec?
I believe the spec says nothing about the generation of session ids.
Even the above session-fixation behavior is outside of the spec (but
definitely does not violate it).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUR7S/AAoJEBzwKT+lPKRYdT4P/3HHrY/yEJmZUWFuyAlAIgkG
J14ix608FsWkGtsIKwh7RxgArSx3eH7niswJ8FxHljZJQThlasInz8SJlFzGYBvA
+++56BziHVRAc+vn00/yOjzO+GW73fm+vjcnL/i6tIYLiX3YT2qd+iWV34YYBnVJ
X0ZS6Kz2+YmkbzN9ccGp8ZWq51jqZtVsPSzEpKmdp2mf2s48O3cQlCNiw6Q5CVCr
a0IU//ciwnkF50l5T2h4oZOV0L0ZraPgbAzf2lNpazNjSnAF3DpG2uVJc9OLIZXy
ZBA3SM+MoLiYDbR5Wv02zx1ifDraMMrVSfeYL6zEpz5tIqeJ4wYSf2iyrkzG2fOr
lnCdVDh1s2hRuVOsQlh8UkG86NQecc8eK6QCCviT5bSS02KK202+i/Z8uW8h4SVT
wMyNv4vsPBgCauM5mugWiTu8T1Ae8fqIznXOImal7sVyQrE20mePkhEo6LqD6NXf
loY55Uul/m0x52fL3/Z9czkJaWhOVd6bRdYgZH/g90CvPVzQZhBBwS15FTgjsxMU
/IslHCv+u3aOr5HxwW4Rl83ifFM2b0tf/X/VKAqRekgz6OJF1HP4J4HN79ecdC/J
+R+J5eo/L5hlbUbbWaH86X7Qm6rG7XoDwkaFA+6AkDfw/2/Whv11a3C8OlLhltKY
oqUECCMeOaec6twMZLG4
=3oOa
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org