I see that a session fixation fix [1] was backported into 5.5.29, but is disabled by default.
1) Why is this disabled by default? 2) Can I just turn it on and have all my problems solved? Or could things blow up? 3) What is the authentication step the bug fix is referring to? [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 Thanks, Bradford --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
