On 10/03/2011 18:03, bradford wrote: > I see that a session fixation fix [1] was backported into 5.5.29, but > is disabled by default. > > 1) Why is this disabled by default?
Because things may blow up. Apps should handle this but... > 2) Can I just turn it on and have all my problems solved? Or could > things blow up? See above. > 3) What is the authentication step the bug fix is referring to? When a user authenticates, the session ID is changed. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
