0

My entire application runs on ssl (https). We are using tomcat7 as container. Now in context.xml I have added below configuration and I am expecting after successful login, JSESSIONID will be changed -

Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="true" />

But unfortunately jsessionid is not getting changed. After studying couple of articles, I came to know that, jsessionid only gets changed only if we are switching from http to https. So, I believe as my application runs on https, jsessionid is not getting changed. Am I correct?

So, what I want is, jsessionid should be modified after successful authention is done and using some kind of configuration. I can invalidate the session and create new session after authention is done. But I prefer to do it using configuration, if possible.

Thanks, Kartic

Kartic
  • 2,935
  • 5
  • 22
  • 43
  • The default value for the `changeSessionIdOnAuthentication` attribute is `true`. http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Authentication/Attributes. Also I think it does not have anything to do with SSL. What is the full version number of Tomcat 7 are you using? – Evandro Pomatti Jul 07 '14 at 16:19
  • I just made a test with Tomcat 7.0.54. The JSESSIONID cookie value was changed as expected after basic authentication succeded. I didnt need to change anything in my context.xml, as the value for `changeSessionIdOnAuthentication` attribute is `true` by default. Please provide full version number of your Tomcat. – Evandro Pomatti Jul 07 '14 at 16:42
  • Hi Evandro, thanks for your reply. Yes, default value of changeSessionIdOnAuthentication attribute is true. So there is basically no difference between the above changes I have done and the default configuration. We are using apache-tomcat-7.0.52. Also I have noticed something, when I am running the project in eclipse, jsessionid is getting changed. But somehow, when I am deploying in development environment, it's not working. Any idea what might be the reason. – Kartic Jul 07 '14 at 18:10
  • Maybe you changed Tomcat behavior with custom configuration. I just executed an exported WAR in a Tomcat 7.0.52 without Eclipse and I received a new JSESSIONID from the server after authentication. Same as before. Did you try removing that `` element? – Evandro Pomatti Jul 07 '14 at 23:07

0 Answers0