Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-2692

Tomcat's session fixation protection conflicts with concurrency control

    XMLWordPrintable

    Details

      Description

      By default in Tomcat 7 the session fixation protection is enabled. That means that if you are using SSL mutual (client-cert) authentication (Tomcat side) and form-login authentication with SS the concurrency control is effectively bypassed.

      In order for the CompositeSessionAuthenticationStrategy to properly work the changeSessionIdOnAuthentication attribute must be set to false on the SSLAuthenticator in <tomcat-home>/conf/context.xml:

      <Valve className="org.apache.catalina.authenticator.SSLAuthenticator" changeSessionIdOnAuthentication="false" />
      

      Please add a warning in the documentation (http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#concurrent-sessions) as it's a big frustration - at least it was for me

      Regards,
      George

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            georgea George Angeletos
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: