Tomcat & httpd - Avoiding Session Fixation Attacks by using Identity Confirmation

[Ri...@f1000.com]

I'm trying to avoid session fixation attacks by using Identity
Confirmation (invalidating the user's session and creating a new one
when they sign in).  This works fine when just using Tomcat, however
when httpd is handling the requests and forwarding through mod_jk the
post signin JSESSIONID is the same as before the user signed in.

I'm using Spring 3.0, which should handle the session invalidation and
creation automatically, however it is spitting out the following
message:
org.springframework.security.web.authentication.session.SessionFixationP
rotectionStrategy - Your servlet container did not change the session ID
when a new session was created. You will not be adequately protected
against session-fixation attacks

I'm using Apache 2.2 and Tomcat 6.0.18.

Has anyone come across this problem? My hunch is that it lies with
mod_jk or Apache httpd configuration.
This closest thread I found was
http://markmail.org/thread/ya5qojmhb5bzmull but it covers only attacks
where JSESSIONID was passed in as a parameter, and does not use Identity
Confirmation.

Cheers,
Richard

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org