Hi,
According to the docs, tomcat7 is not vulnerable to session fixation attack. But my
tomcat 7.0.25 as well as 7.0.27 is vulnerable to this attack.
JSESSIONID is not getting changed on successful login.
I added following Valve to my conf/context.xml. But this didn't work. Please help me.
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="true" />
Thanks,
Prashant Gupta