https://issues.apache.org/bugzilla/show_bug.cgi?id=51283
--- Comment #2 from Mark Thomas <ma...@apache.org> 2011-05-28 18:29:11 UTC --- Users can't place objects into the session. Only the application can do that. If the application is doing something that is security sensitive before authentication, I would class that as an application flaw. I'm having trouble coming up with an scenarios where this would be an issue that I don't view as an application rather than container problem. With such a scenario I could see an argument to make the behaviour on authentication configurable (do nothing / change ID / create new session). Without such a scenario this issue is going to get resolved as invalid. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
