Tomcat not invalidating sessions


A server can build on this base to provide additional features and capabilities.

For example, the Java Web Server has the ability to revert to using URL rewriting when cookies fail, and it allows session objects to be written to the server's disk as memory fills up or when the server shuts down.

tomcat not invalidating sessions-3tomcat not invalidating sessions-48

We have a critical security issue which says that after login, the session id does not change.

As this could lead to a "middle-man-attack", we need to change the session id after every login.

In a previous article I discussed about methods used for session tracking.

It has fundamental information about what a session is and how to manage it. Just to recap, session is a conversion between a server and a client.

The Session Reaper provides a service similar to the JVM Garbage Collection (GC) capability: the Session Reaper is responsible for destroying any session that is no longer used, which is determined when that session has timed out.