> > change.
> >
> > Tomcat changes the session id (without actually destroying the
> > session) after authentication, so if you are using Tomcat's
> > authentication, then there is no need for the invalidation you describe
> > above.
> >
> We don't use Tomcat Auth, though I'm arguing for changing to Tomcat w/Form
> Auth so it's easier to support 2-factor auth for those customers who insist
> on it. I'm not sure of the exact methodology employed, but I'm sure it's
> similar.
>
Thanks Christopher for the clarification and the link
--
BR,
Prafull
1AD9Crfw0
> eCjLf9tOerjoA+PeKGFr
> =ZKug
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
> Hi Christopher,
When you say after successful authentication tomcat re-creates a new
session, what do you mean by that? Can you explain it in bit more details?
--
BR,
Prafull
