https://bz.apache.org/bugzilla/show_bug.cgi?id=64104
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> ---
This is a topic for the users' list.
(In reply to Goyo from comment #0)
> IMHO, thats "if any" should means that
> the previous condition should be expressed as: if (expectedSessionId !=
> null && !expectedSessionId.equals(request.getRequestedSessionId()))
>
> shouldn't it?
No. If there is no expected session id, then it should be expired. Your code
would change the logic to "only expire if there was an expected session id AND
it did not match". So non-matching session ids (expected != requested) would
still be allowed, which is incorrect behavior.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
