tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
Date Fri, 04 Jun 2010 12:51:42 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

--- Comment #28 from Arvind Srinivasan <yoarvi@gmail.com> 2010-06-04 08:51:33 EDT ---
Should changing the session id of an existing session object be treated the
same as creating a new session i.e. should the session creation listeners be
triggered?

http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/ManagerBase.java?r1=903083&r2=918761
invokes setId() which in turn invokes the session creation listeners in
tellNew().

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message