Skip to content

SEC-2692: Tomcat's session fixation protection conflicts with concurrency control #2913

New issue
New issue
Open
Open
SEC-2692: Tomcat's session fixation protection conflicts with concurrency control#2913
Labels
in: docsAn issue in Documentation or samplestype: jiraAn issue that was migrated from JIRAtype: taskA general task
@spring-projects-issues

Description

@spring-projects-issues
spring-projects-issues
opened on Jul 29, 2014

George Angeletos (Migrated from SEC-2692) said:

By default in Tomcat 7 the session fixation protection is enabled. That means that if you are using SSL mutual (client-cert) authentication (Tomcat side) and form-login authentication with SS the concurrency control is effectively bypassed.

In order for the CompositeSessionAuthenticationStrategy to properly work the changeSessionIdOnAuthentication attribute must be set to false on the SSLAuthenticator in /conf/context.xml:

<Valve className="org.apache.catalina.authenticator.SSLAuthenticator" changeSessionIdOnAuthentication="false" />

Please add a warning in the documentation (http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#concurrent-sessions) as it's a big frustration - at least it was for me :)

Regards,
George

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: docsAn issue in Documentation or samplestype: jiraAn issue that was migrated from JIRAtype: taskA general task

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions