Tomcat not invalidating sessions become double your dating affiliate
The user may simply leave the site without formally logging-out -- like closing the browser window.
The server has no idea that the user will never return.
There is no "logged-in flag", at least not in the container.
The application may have such a flag -- possibly in a database?
cookie, http, lifecycleexception, lifecycleexception, lifecyclesupport, map, principal, request, response, security, servlet, session, session, singlesignon, singlesignonentry, singlesignonentry, sso, string, string, util /* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements.
See the NOTICE file distributed with * this work for additional information regarding copyright ownership.
* See the License for the specific language governing permissions and * limitations under the License.
*/ package org.apache.catalina.authenticator; import
This is why it is important to require sensitive operations to re-authenticate the user.Ideally you should be able to shut down the user's authorizations in addition to locking the authentication to the account, via your privilege and access management system.Paul On 8/19/2010 PM, David Langenberg wrote: management system. The problem is, as I understand it, if application is relying on the Auth Z to be provided by the Id P in the form of attributes passed to the SP by the Id P.The session-id can be "fixated" (by predicting the session id), but the nonce is independent of the cookie.The attacker would have to predict not only the session id (which can be done by tricking the victim into using a chosen session id) but also the nonce generated by the application, which should be extremely difficult.
Search for tomcat not invalidating sessions:
Phisher uses user's credentials to authenticate to a shibboleth-protected site. Now, provided the phisher doesn't close out all their browser sessions they have an additional 7 hours of unrestricted access as that user to any other SP which relies on that Id P.