On 05/10/2012 04:54, Jan Bartel wrote:
> Hi,
>
> The 3.0 Spec sec 13.10 Login and Logout, page 145 says:
>
> "If a developer creates a session while a user is not authenticated,
> and the container then
> authenticates the user, the session visible to developer code after
> login must be the
> same session object that was created prior to login occurring so that
> there is no loss
> of session information."
>
> Does that mean that if a session exists before a user called
> Request.login(), the container cannot implement session fixation
> prevention and change the session id automatically?
No it does not. That assumption is not correct.
> If changing the session id is actually permitted, should the above clause
> be taken to mean that the object must actually the one and the same?
> Ie that sessionPrev == sessionNew ?
That is how I read it, what I intended when I proposed the change and
how Tomcat implements it. The object stays the same but the ID changes.
Tomcat doesn't create a new session object.
> Alternatively is the container not permitted to implement automatic
> session fixation prevention, and callers of Request.login() must
> explicitly call Request.changeSessionId()?
That is not correct. The container is free to implement session fixation
protection automatically. The expectation is that the session ID will be
changed but the session object will remain the same.
Mark