tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 28709] - javax.servlet.http.HttpServletRequest.isRequestedSessionIdValid() returns true for an invalidated session!
Date Tue, 08 Jun 2004 16:19:53 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28709>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=28709

javax.servlet.http.HttpServletRequest.isRequestedSessionIdValid() returns true for an invalidated
session!





------- Additional Comments From blumm@apache.org  2004-06-08 16:19 -------
SRV.7.3(from Version 2.4) says:
...
To illustrate this requirement with an example: if a servlet uses the
RequestDispatcher to call a servlet in another Web application, any sessions
created for and visible to the servlet being called must be different from those
visible to the calling servlet.

By the way the spec. does not distinguish at this point between a named request
dispatcher and a regular one.

What do you exactly mean by saying "you're going to interact with the session
from the first context, which is a problem" ? Does not the Spec. cover the
request wrapper in an consistent manner with SRV.7.3 ?

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message