Changing JSESSION ID with Tomcat 7

Question

According to the tomcat docs, tomcat7 is not vulnerable to session fixation attack. But my tomcat 7.0.25 as well as 7.0.27 is vulnerable to this attack. JSESSIONID cookie value is not getting changed on successful login.

I added following Valves to my conf/context.xml. But this didn't work. Please help me.

<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="true" />
<Valve className="org.apache.catalina.authenticator.SSLAuthenticator" changeSessionIdOnAuthentication="true" />
<Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" changeSessionIdOnAuthentication="true" />
<Valve className="org.apache.catalina.authenticator.DigestAuthenticator" changeSessionIdOnAuthentication="true" />
<Valve className="org.apache.catalina.authenticator.FormAuthenticator" changeSessionIdOnAuthentication="true" />

I have also come to know that JSESSION ID cookie value only changes on authentication. What does authentication means ? Is it switching the application from http to https ?

Is there anything already built which can change the the jsession id value on login ? Right now I am changing this via code.

Thanks in advance. Please let me know if you need more info.

Regards,

Prashant Gupta

Answer 1

Are you sure your application uses server security.

These configuration only affect this behaviour if you're using it.

If your authentication uses for example custom or spring security authentication they will not apply and you will have to do this yourself.

For example in spring sec there are parameters for that.

Regards