SEC-1462: SessionFixationProtectionFilter creates new session even when the requested session id is null or invalid. #1702
We ran into an issue where the hotspot browser on blackberry devices was not able to maintain the httpsession. We are using tomcat 6 as our web server. After investigation it was found that the tomcat is generating two Set-Cookie headers for JSESSIONID. Out of these two JSESSIONID second one is valid however the hotspot browser is picking up the wrong one (i.e. first one) and that is why it is not able to maintain the session. With further investigation it was found that the SessionFixationProtectionFilter invalidates the current session and then creates a new one if the user is authenticated during the current requests. This was causing the multiple JSESSIONID.
Though the issue seems to be with the browser and the tomcat but the SessionFixationProtectionFilter creates new session when it is not required i.e. when the requested session id is invalid or null. So we need to add an extra condition which also checks for request.isRequestedSessionIdValid() in the already exisiting condition
This not only fixes the issue mentioned but also improves the performance as we are avoiding unnecessary session creation.
Filip Hanik said:
The multiple JSESSIONID headers is a bug in Apache Tomcat
Luke Taylor said:
Thanks for the report. I've added your fix to the 2.0.x branch and also applied an equivalent patch to the 3.0.x and master branches. Note that we don't anticipate any further public releases of the 2.0 series. However, you can apply the patch yourself and once the Tomcat fix is in place you should be able to upgrade to remove the problem with the multiple session-cookie headers.