Begin forwarded message:
Hi, I've a context.xml like so: <Context sessionCookieDomain="acme.org" sessionCookieName="acme" useHttpOnly="true" disableURLRewriting="true" /> <!-- disable persistent sessions --> <Manager pathname="" /> </Context> I'm using Spring Security, which creates a new session after a user has been authenticated to prevent session fixation attacks. Everything works as expected *unless* I add a sessionCookiePath="/" to the config above. With the cookie path set to root the following code (inside Spring Security's SessionFixationProtectionStrategy): HttpSession session = request.getSession(); String originalSessionId = session.getId(); ... session.invalidate(); session = request.getSession(true); // we now have a new session … will yield the *original* session again! I'm runnning on Tomcat 7.0.42. Setting the cookie path to root is not necessary in my case (because I'm running the webapp as ROOT anyhow), but is this expected behaviour? Regards, Stefan -- Stefan Haberl http://christa-und-stefan.net --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
