we have observed an odd behaviour with the session-fixation-protection property in our http setup. We currently define no property which, according to the documentation, should default to migrate-session. However, in Firefox we can see from the request headers that the JSESSIONID never changes after a login and we were actually able to make a session fixation attack using a simple http client and the following scenario:
when logged out we copied the JSESSIONID, then we logged in and using our http client we sent a request for a secured page with a *Cookie* header containing the *logged out* JSESSIONID. Instead of being served the login page we were served the requested page which is what we were expecting as the ID was the same.
We are using Tomcat 6 and it seems as if our server is always returning the same JSESSIONID!
Has anyone come across this issue before. Do you think it's only related to Tomcat?