On 08/04/2010 23:34, Christopher Schultz wrote:
This happens on Tomcat 6.0.24 and 6.0.26, but not 6.0.20, which makes me
think it is related to change 45255 (Provide protection against session
fixation by changing session ID automatically on authentication.), in
the dev environment tomcat is running on windows XP. Session tracking is
done by cookie, not URL rewriting.
I haven't read the actual patch that added this session-id switching but
it's not clear if it's configurable. Mark said he'd likely make this an
option that defaults to "off".
Security trumped compatibility in this case and it defaults to on.
Nothing stopping you turning it off though.
I'd note that apps that have issues with this behaviour are likely to
have issues with load-balancing, sticky sessions and fail-over as
exactly the same code is used to change the session ID on fail-over.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
