> From: bradford [mailto:fingerm...@gmail.com] > Subject: Re: session fixation bug fix - questions
> What type of authentication are you referring to? Any container-managed authentication. If your webapp is doing its own, then you're in control. > Are you talking about the first time they access the > Tomcat server? No, it's referring to when authentication occurs. A client may visit unprotected pages with an unauthenticated session, and hit a protected one requiring authentication. When that happens and the option is enabled, the session id will change. Whether or not that impacts your webapp is entirely up to your webapp. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
