Hi, in order to avoid session fixation in the login phase of our application we have to invalidate the session. But we found the issue reported in the following bug (marked as solved) related to Tomcat &.0.28:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49598 I'm using tomcat 6.0.29 (under win XP and linux CentOS) where the issue is marked as resolved but i can replicate it every time. If it can be helpful i'm in a servlet in an https connection (without any framework or similar). I discovered that on http call the session is correctly renewed but on https it is not. Does there exist any way to avoid such issue? I made the mistake to post it on bugzilla before posting here, sorry. Follows an extract form a test servlet: " HttpSession s = req.getSession(); if (s==null) { System.out.println(mt+":Session is null"); } else { System.out.println(mt+":Session id="+s.getId()+"\t New="+s.isNew()); } System.out.println("pre- invalidate"); s.invalidate(); System.out.println("post- invalidate: id="+s.getId()); s = req.getSession(true); System.out.println("post- get new: id="+s.getId()); " Thanks very much . BR, Andrea
