tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 60854] Unintended JSESSIONID value change
Date Thu, 23 Mar 2017 20:27:13 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854

--- Comment #8 from Mark Thomas <markt@apache.org> ---
It is worth keeping in mind the change in session ID is relatively cheap. The
session object remains the same, it is just the ID field that is updated.

Using alwaysUseSession="true" on the Authenticator appears, on the face of it,
to be a simple solution to this problem.

I haven't tried coding it, but it looks like a fix triggered by session
creation would be possible. It would require some refactoring of
AuthenticatorBase.register to avoid duplication of code.

Overall, I do wonder if the additional complexity of the session creation
triggered fix is truly necessary.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message