This content has been marked as final.
Show 1 reply
-
1. Re: Session-fixation and org.apache.catalina.connector.Request.SESSION_ID_CHECK
sfcoy Oct 12, 2012 3:04 AM (in response to selfcare)According to http://docs.jboss.org/jbossweb/2.1.x/sysprops.html it's a system property.
You can set this by adding:
{code}-Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=true{code}
to the value of the JAVA_OPTS environment variable to $JBOSS_HOME/bin/run.conf or %JBOSS_HOME%\bin\run.conf.bat files as appropriate.
You can also mitigate this problem by adding:
{code}<%
Session tempSession = request.getSession(false);
if (tempSession != null)
tempSession.invalidate();
%>{code}
to the JSP that you have configured for your form login, or equivalent if it's not a JSP.