Turning off the Session Fixation in Tomcat

Java Tomcat Security
Sebastian Misiewicz
Since Tomcat 6.0.21 a mechanism called Session Fixation was introduced. By default it is turned on. Therefore it might cause problems, if some implementation is based on the SESSIONID.
In order to turn this security mechanism off, a special Valve has to be introduced to all Contexts, for which this mechanism should be removed.
<Valve className ="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication ="false" />
It can be added in the server.xml of a Tomcat instance. After adjustments it will look like this:
<Context path="/path" reloadable="false">
  <!-- Turn off session fixation -->
  <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="false" />
After doing that the application is vulnerable to attacks based on caught SESSIONID.