tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Grotzke <>
Subject Why does Manager.createSession(String) take a sessionId
Date Thu, 14 Jun 2012 19:45:09 GMT

I'm wondering why Manager.createSession(String) takes a sessionId that
gets set on the new session.

When a client invokes session.invalidate() and afterwards
request.getSession() he will get a new session with the same/previous
session id (yes, this is only done when the sessionId was submitted via
cookie, and only when "empty session path" flag is set in tc6 or the
session is bound to "/" in tc7).

I'm wondering why the sessionId is reused at all - what's the use case
for this?

Wouldn't it be more safe for users that are not aware of this fact to
always generate a new sessionId?

Thanx && cheers,

View raw message