Tomcat is not changing session id anymore

Question

I have a tomcat 8 server in which i have two web app. I want to give access to both application by authenticating once an user.

I did it by setting sessionCookiePath="/" in catalina/conf/context.xml like this :

<Context useHttpOnly="false" sessionCookiePath="/">

Now the problem i am facing is tomcat is not changing session ID anymore. I got a warning message.

Warn org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy - your servlet container did not change the session id when a new session was created

On the link, it is said that tomcat is taking care of that by default. http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection

How can i fix it ?

Thanks

Answer 1

Yes, this is expected behaviour. The documentation hints at this but does not make it explicitly clear.

Setting sessionCookiePath="/" is treated as a special case to support portlet implementations. Once one web application obtains a session all subsequent sessions for any web application also configured with sessionCookiePath="/" will always get the same session ID. This holds even if the session is invalidated and a new one created.

If a set of web application operates in this mode, changing the session ID is a lot harder. You'd have to write a custom Tomcat component to do it for you and even then I'm not sure that you can guarantee a smooth change over.