tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Res: Res: JSESSIONID Cookie handle customizing
Date Fri, 15 Oct 2010 16:56:07 GMT
On 15/10/2010 17:47, Juliano Daloia de Carvalho wrote:
> Chuck, I can't say explicit why I need to use this info on the session. but is 
> related with security issues.
>  
> and you are right, is much more plausible to make this as you said, but I 
> can't afford to do that.

If you need to control the session ID then the right way to do this is
to extend the Manager and override generateSessionId(). Anything else is
going to be fragile, particularly when you factor in that Tomcat will
change the session ID on authentication to prevent session fixation.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message