tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Romain Manni-Bucau <rmannibu...@gmail.com>
Subject Re: Entering secure part of application loses CDI SessionScoped objects
Date Mon, 21 Jan 2013 22:21:32 GMT
should work without it on trunk:
https://issues.apache.org/jira/browse/TOMEE-745

Note: the difference between your conf and the patch is the patch keep the
"change session id" behavior (which is secure)

*Romain Manni-Bucau*
*Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
*Blog: **http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/>
*LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
*Github: https://github.com/rmannibucau*



2013/1/21 William J. Eaton <wje@lifeformulae.com>

> On Mon, 2013-01-21 at 14:33 -0600, José Luis Cetina wrote:
> > If i remember this is the default behavior starting from Tomcat 6.0.x the
> > "name" is Session Fixation Protection. i remember if you dont want
> > this behavior you have to set to false the
> changeSessionIdOnAuthentication
> > attribue.
> Thanks.  That resolves the issue.  When I add the Valve directive below
> to context.xml, the application works as expected.
>   <Valve className="org.apache.catalina.authenticator.FormAuthenticator"
>     changeSessionIdOnAuthentication="false"/>
>
> --
> William J. Eaton, wje@lifeformulae.com (713) 202-1620
> LifeFormulae, LLC
> 9119 Highway 6 South #228
> Missouri City, TX 77459
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message