-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrea,
On 11/29/2010 9:37 AM, Andrea Corti wrote: > In order to avoid session fixation in the login phase of our application > we have to invalidate the session. As you may have noted, Tomcat has implemented this behavior and you shouldn't have to worry about it. > But we found the issue reported in the following bug (marked as solved) > related to Tomcat &.0.28: > > https://issues.apache.org/bugzilla/show_bug.cgi?id=49598 That would be the one. > I'm using tomcat 6.0.29 (under win XP and linux CentOS) where the issue is > marked as resolved but i can replicate it every time. Okay, how are you replicating it and what are your results? > If it can be helpful i'm in a servlet in an https connection (without any > framework or similar). > I discovered that on http call the session is correctly renewed but on https > it is not. Interesting. > Follows an extract form a test servlet: > HttpSession s = req.getSession(); > if (s==null) { > System.out.println(mt+":Session is null"); > } else { > System.out.println(mt+":Session id="+s.getId()+"\t > New="+s.isNew()); > } > System.out.println("pre- invalidate"); > s.invalidate(); > System.out.println("post- invalidate: id="+s.getId()); > s = req.getSession(true); > System.out.println("post- get new: id="+s.getId()); Okay, what does the above servlet print when you access it via HTTP, and then access it via HTTPS? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzz210ACgkQ9CaO5/Lv0PA0gACeOXNvdinscHW4m2zogNdFrYA3 qbcAnjrtZAJyjJIh/Hhq77B1ClkVnLdG =maAw -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
