Value of JSESSIONID is not changed on invalidating session

StackOverflow https://stackoverflow.com/questions/23663629

質問

I needed to change JSESSIONID's domain to ".something.com" in a context.xml file:

<Context path="/test" sessionCookiePath="/" sessionCookieDomain=".something.com" useHttpOnly="true" />

After that, when I perform a httpSession.invalidate() the session is reset but JSESSIONID value does not change.

I'm using Java 7, Spring MVC and Tomcat 7. I also tried to remove the JSESSIONID cookie manually, but it seems that Tomcat or Spring are not letting I change its value.

This may difficult troubleshooting on my system. I'd like to know if it's possible to change this behavior either on Spring or in Tomcat.

役に立ちましたか?

解決

I found the problem in Tomcat's documentation:

"Note: Once one web application using sessionCookiePath="/" obtains a session, all subsequent sessions for any other web application in the same host also configured with sessionCookiePath="/" will always use the same session ID. This holds even if the session is invalidated and a new one created. This makes session fixation protection more difficult and requires custom, Tomcat specific code to change the session ID shared by the multiple applications."

Source: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html

The issue is related to cookie path, and not with domain

他のヒント

Assuming you're using Spring Security, you can configure the session logout handler to delete the cookie for you.

...
<logout delete-cookies="JSESSIONID">
...

Or, in Java configuration, in a WebSecurityConfigurerAdapter:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            ...
            .logout()
                .deleteCookies("JSESSIONID");
    }

If you're not using Spring Security, you can probably install a Filter object into Spring's existing filter chain to delete the Set-Cookie header in outgoing requests whose sessions have been invalidated (or on whatever condition you specify, at that point). This is more or less what Spring Security's logout handlers do, anyway.

ライセンス: CC-BY-SA帰属
所属していません StackOverflow
scroll top