tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William Stranathan <>
Subject New Session on Authentication?
Date Wed, 06 Apr 2005 14:49:23 GMT
Is there a configuration setting to force Tomcat to expire the old
session and put the user in a new one when they log in using any of
the Realm's?  For example, this is a problem:

- User tries to access a restricted page - no session set up
- Tomcat redirects to the login page, appends ;jsessionid=<id> to the URL
- User successfully authenticates

Now, a URL with a valid session ID is in the user's history, might be
logged, and an unknowing user could copy/paste that URL to somebody
say in a newsgroup or something.

I'm using mod-rewrite on an Apache server in front of Tomcat to fix
the jsessionid going in the URL, but is there any way to force Tomcat
to make a new session upon authentication?  I know that this is not
always desirable - a user may have preferences in their session before
they authenticate, so I think it should be optional.

Thanks for any help.
Will Stranathn

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message