Collection of custom Tomcat valves.
This valve changes the session-id of an incoming secure request. The session id is only changed once for the first secure request. It does not destroy the previous session, rather it renames it so it is no longer found by the session-id used during unsecured requests
- Create a JAR containing the class and add it to the Tomcat
lib/folder. - Add the valve configuration to
conf/server.xml
...
<Valve className="valve.SessionFixationValve"/>
...