If I read this correctly (big if), the solution could be a security problem. If I were a phisher, I might be able to send you an email with a link to that would redirect you to a tomcat server with the new configuration in question with a special id. If the user were to perform other actions of a confidential nature, the attacker could swoop in and impersonate that session.
The phisher could easily be notified that the special session id was used and have a farm of wamr bodies ready to attack.
Yes, this could maybe be used like this (maybe we could simply prevent URL session ids from being used for this purpose, which would likely solve the issue - I hope you can't set a cookie on another host). Obviously, if you're not using cookies for session tracking, then the emptySessionPath attribute is useless anyway, so there's no bug ;)
The problem is that I see no other acceptable solution (a global list of session id, which would be unbounded, would be bad, and introduce lots of complexity - the API change might be still needed anyway).
What do you think ?
Rémy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
