Home/ Questions/Q 8378867
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T16:01:46+00:00

According to the tomcat docs, tomcat7 is not vulnerable to session fixation attack. But

  • 0

According to the tomcat docs, tomcat7 is not vulnerable to session fixation attack. But my tomcat 7.0.25 as well as 7.0.27 is vulnerable to this attack. JSESSIONID cookie value is not getting changed on successful login.

I added following Valves to my conf/context.xml. But this didn’t work. Please help me.

<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="true" />
<Valve className="org.apache.catalina.authenticator.SSLAuthenticator" changeSessionIdOnAuthentication="true" />
<Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" changeSessionIdOnAuthentication="true" />
<Valve className="org.apache.catalina.authenticator.DigestAuthenticator" changeSessionIdOnAuthentication="true" />
<Valve className="org.apache.catalina.authenticator.FormAuthenticator" changeSessionIdOnAuthentication="true" />

I have also come to know that JSESSION ID cookie value only changes on authentication. What does authentication means ? Is it switching the application from http to https ?

Is there anything already built which can change the the jsession id value on login ? Right now I am changing this via code.

Thanks in advance. Please let me know if you need more info.

Regards,

Prashant Gupta

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Are you sure your application uses server security.

    These configuration only affect this behaviour if you’re using it.

    If your authentication uses for example custom or spring security authentication they will not apply and you will have to do this yourself.

    For example in spring sec there are parameters for that.

    Regards

    • 0