Any servlet API event to denote change in session id

[Jess Holle <je...@ptc.com>]

I note that in recent versions of Tomcat (e.g. 7.0.23), the session id 
changes when you do a form-based authentication.

I do not see any sort of notice via anything one can listen to via the 
servlet API to receive notice of this change.

This makes things rather ugly if one is monitoring the sessions oneself 
-- as their identity changes out from under you without any notice.

Am I missing something here?  [Yes, I note the container event, but that 
necessitates Tomcat-specific code, etc -- especially given that this 
isn't fired as a JMX notification anywhere that I can see.]

--
Jess Holle


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Any servlet API event to denote change in session id

[Jess Holle <je...@ptc.com>]

On 12/7/2011 11:47 AM, Mark Thomas wrote:
> On 07/12/2011 17:04, Jess Holle wrote:
>> I note that in recent versions of Tomcat (e.g. 7.0.23), the session id
>> changes when you do a form-based authentication.
>>
>> I do not see any sort of notice via anything one can listen to via the
>> servlet API to receive notice of this change.
>>
>> This makes things rather ugly if one is monitoring the sessions oneself
>> -- as their identity changes out from under you without any notice.
>>
>> Am I missing something here?  [Yes, I note the container event, but that
>> necessitates Tomcat-specific code, etc -- especially given that this
>> isn't fired as a JMX notification anywhere that I can see.]
> No, you aren't missing anything.
>
> Note the session object does not change, just the value returned for the ID.
>
> This will hopefully get fixed in Servlet 3.1
>
> Your other option is to turn off the session fixation protection (not
> recommended).
Thanks.  I have a request listener and can use it to notice session id 
changes by the end of a request at least, update all my tracking data, 
and log the occurrence for interested parties.  It's a little later in 
the scheme of things than I'd like, but efficient enough.

--
Jess Holle


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Any servlet API event to denote change in session id

[Mark Thomas <ma...@apache.org>]

On 07/12/2011 17:04, Jess Holle wrote:
> I note that in recent versions of Tomcat (e.g. 7.0.23), the session id
> changes when you do a form-based authentication.
> 
> I do not see any sort of notice via anything one can listen to via the
> servlet API to receive notice of this change.
> 
> This makes things rather ugly if one is monitoring the sessions oneself
> -- as their identity changes out from under you without any notice.
> 
> Am I missing something here?  [Yes, I note the container event, but that
> necessitates Tomcat-specific code, etc -- especially given that this
> isn't fired as a JMX notification anywhere that I can see.]

No, you aren't missing anything.

Note the session object does not change, just the value returned for the ID.

This will hopefully get fixed in Servlet 3.1

Your other option is to turn off the session fixation protection (not
recommended).

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org