tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: Why does Manager.createSession(String) take a sessionId
Date Fri, 15 Jun 2012 05:49:39 GMT
Hi Martin,

On 14.06.2012 21:45, Martin Grotzke wrote:
> Hi,
> I'm wondering why Manager.createSession(String) takes a sessionId that
> gets set on the new session.
> When a client invokes session.invalidate() and afterwards
> request.getSession() he will get a new session with the same/previous
> session id (yes, this is only done when the sessionId was submitted via
> cookie, and only when "empty session path" flag is set in tc6 or the
> session is bound to "/" in tc7).
> I'm wondering why the sessionId is reused at all - what's the use case
> for this?
> Wouldn't it be more safe for users that are not aware of this fact to
> always generate a new sessionId?

Empty session path was originally meant to support a portal situation. 
Using it there would be only one session cookie valid for all contexts, 
because all sessions of a user would have the same ID.

But empty session path is supposed to provide more problems than solve 
it, so it is good practise to not enable it.

Don't know the exact reasoning for TC 7.

Usually the feature shouldn't be used for resuing a session id after 
invalidation but more for having all contexts using the same session id. 
I think this is no longer necessary, because the cookies is configurable 
per context now (e.g. its name).



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message