[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-dev
Subject:    DO NOT REPLY [Bug 51283] Session Fixation is solved without an
From:       bugzilla () apache ! org
Date:       2011-05-28 18:29:11
Message-ID: bug-51283-78-MGSC6BS5a4 () https ! issues ! apache ! org/bugzilla/
[Download RAW message or body]

https://issues.apache.org/bugzilla/show_bug.cgi?id=51283

--- Comment #2 from Mark Thomas <markt@apache.org> 2011-05-28 18:29:11 UTC ---
Users can't place objects into the session. Only the application can do that.

If the application is doing something that is security sensitive before
authentication, I would class that as an application flaw.

I'm having trouble coming up with an scenarios where this would be an issue
that I don't view as an application rather than container problem. With such a
scenario I could see an argument to make the behaviour on authentication
configurable (do nothing / change ID / create new session). Without such a
scenario this issue is going to get resolved as invalid.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]