Hi,
> If you want the *current* session for this request, you should always call
> request.getSession() instead.
Yes. This is correctly working in tomcat 3.x: the getRequestedSessionId()
returns one of the IDs with preference to the cookie; the getSession()
returns the current session. perfect.
However: in tc 4.x this does not work anymore since
internal lookup uses the requestedSessionId:
(From HttpRequestBase:)
-------
if (requestedSessionId != null) {
try {
session = manager.findSession(requestedSessionId);
} catch (IOException e) {
session = null;
}
}
if ((session != null) && !session.isValid())
session = null;
-------
But this should be something like
-------
if (requestedSessionIdFromCookie != null) {
try {
session = manager.findSession(requestedSessionIdFromCookie);
} catch (IOException e) {
session = null;
}
}
if ((session != null) && !session.isValid())
session = null;
// if the session still is null, then consider the id from the URL.
if (session == null && requestedSessionIdFromURL != null) {
try {
session = manager.findSession(requestedSessionIdFromURL);
} catch (IOException e) {
session = null;
}
}
if ((session != null) && !session.isValid())
session = null;
-------
Thats my whole point.
> If case (b) happens, your client is broken.
admitted ;-)
-hen
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
