Workaround for session fixation
Tomcat
A new security feature for Apache Tomcat 7 is Session Fixation Protection. Essentially, when a user authenticates their session, Tomcat will change the session ID. It does not destroy the previous session, rather it renames it so it is no longer found by that ID.
IIS
TBD
Leave a Reply