Since Tomcat 6.0.21 a mechanism called
Session Fixation was introduced. By default it is turned on. Therefore it might cause problems, if some implementation is based on the
SESSIONID.
In order to turn this security mechanism off, a special
Valve has to be introduced to all
Contexts, for which this mechanism should be removed.
<Valve className ="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication ="false" />
It can be added in the
server.xml of a Tomcat instance. After adjustments it will look like this:
<Context path="/path" reloadable="false">
<!-- Turn off session fixation -->
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="false" />
</Context>
After doing that the application is vulnerable to attacks based on caught
SESSIONID.