On 07/12/2011 17:04, Jess Holle wrote: > I note that in recent versions of Tomcat (e.g. 7.0.23), the session id > changes when you do a form-based authentication. > > I do not see any sort of notice via anything one can listen to via the > servlet API to receive notice of this change. > > This makes things rather ugly if one is monitoring the sessions oneself > -- as their identity changes out from under you without any notice. > > Am I missing something here? [Yes, I note the container event, but that > necessitates Tomcat-specific code, etc -- especially given that this > isn't fired as a JMX notification anywhere that I can see.]
No, you aren't missing anything. Note the session object does not change, just the value returned for the ID. This will hopefully get fixed in Servlet 3.1 Your other option is to turn off the session fixation protection (not recommended). Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
