[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-dev
Subject: DO NOT REPLY [Bug 51283] Session Fixation is solved without an
From: bugzilla () apache ! org
Date: 2011-05-28 18:29:11
Message-ID: bug-51283-78-MGSC6BS5a4 () https ! issues ! apache ! org/bugzilla/
[Download RAW message or body]
https://issues.apache.org/bugzilla/show_bug.cgi?id=51283
--- Comment #2 from Mark Thomas <markt@apache.org> 2011-05-28 18:29:11 UTC ---
Users can't place objects into the session. Only the application can do that.
If the application is doing something that is security sensitive before
authentication, I would class that as an application flaw.
I'm having trouble coming up with an scenarios where this would be an issue
that I don't view as an application rather than container problem. With such a
scenario I could see an argument to make the behaviour on authentication
configurable (do nothing / change ID / create new session). Without such a
scenario this issue is going to get resolved as invalid.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic