Thanks, Mark. What type of authentication are you referring to? Are you talking about the first time they access the Tomcat server? Or some sort of authentication I control in my application code?
I would like to use this feature. Should I just turn it on and see what happens? Is there a test I should do to make sure things are working fine within my app? Thanks, Bradford On Thu, Mar 10, 2011 at 1:36 PM, Mark Thomas <ma...@apache.org> wrote: > On 10/03/2011 18:03, bradford wrote: >> I see that a session fixation fix [1] was backported into 5.5.29, but >> is disabled by default. >> >> 1) Why is this disabled by default? > > Because things may blow up. Apps should handle this but... > >> 2) Can I just turn it on and have all my problems solved? Or could >> things blow up? > > See above. > >> 3) What is the authentication step the bug fix is referring to? > > When a user authenticates, the session ID is changed. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
