tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Grotzke <martin.grot...@googlemail.com>
Subject Re: Why does Manager.createSession(String) take a sessionId
Date Fri, 15 Jun 2012 07:16:58 GMT
On 06/15/2012 07:49 AM, Rainer Jung wrote:
> On 14.06.2012 21:45, Martin Grotzke wrote:
>> Wouldn't it be more safe for users that are not aware of this fact to
>> always generate a new sessionId?
> 
> Empty session path was originally meant to support a portal situation.
> Using it there would be only one session cookie valid for all contexts,
> because all sessions of a user would have the same ID.

Ok, makes sense.


> Usually the feature shouldn't be used for resuing a session id after
> invalidation but more for having all contexts using the same session id.
> I think this is no longer necessary, because the cookies is configurable
> per context now (e.g. its name).

If it's not intended that after session.invalidate() a
request.getSession() returns a session with the same id the catalina
request would just have to store that the
requestedSessionIdWasInvalidated so that in doGetSession it checks
additionally this property before invoking
manager.createSession(getRequestedSessionId());

Shall I submit an issue for this?

Cheers,
Martin




Mime
View raw message