tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: HttpServletRequest.getSession()
Date Tue, 14 Sep 2010 21:22:50 GMT
On 14/09/2010 21:54, Christopher Schultz wrote:
> I encourage others to test other browsers. This was exhausting. :)

To add to the 'fun', recent Tomcat versions will change the session ID
(but not the session object) on authentication to prevent session
fixation attacks.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message