https://bz.apache.org/bugzilla/show_bug.cgi?id=60854
--- Comment #8 from Mark Thomas <ma...@apache.org> --- It is worth keeping in mind the change in session ID is relatively cheap. The session object remains the same, it is just the ID field that is updated. Using alwaysUseSession="true" on the Authenticator appears, on the face of it, to be a simple solution to this problem. I haven't tried coding it, but it looks like a fix triggered by session creation would be possible. It would require some refactoring of AuthenticatorBase.register to avoid duplication of code. Overall, I do wonder if the additional complexity of the session creation triggered fix is truly necessary. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org