Since Tomcat 6.0.21 a mechanism called
Session Fixation was introduced. By default it is turned on. Therefore it might cause problems, if some implementation is based on the
SESSIONID
.
In order to turn this security mechanism off, a special
Valve
has to be introduced to all
Context
s, for which this mechanism should be removed.
<Valve className ="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication ="false" />
It can be added in the
server.xml
of a Tomcat instance. After adjustments it will look like this:
<Context path="/path" reloadable="false">
<!-- Turn off session fixation -->
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="false" />
</Context>
After doing that the application is vulnerable to attacks based on caught
SESSIONID
.