Hi, I'm wondering why Manager.createSession(String) takes a sessionId that gets set on the new session.
When a client invokes session.invalidate() and afterwards request.getSession() he will get a new session with the same/previous session id (yes, this is only done when the sessionId was submitted via cookie, and only when "empty session path" flag is set in tc6 or the session is bound to "/" in tc7). I'm wondering why the sessionId is reused at all - what's the use case for this? Wouldn't it be more safe for users that are not aware of this fact to always generate a new sessionId? Thanx && cheers, Martin
signature.asc
Description: OpenPGP digital signature
