On 06/15/2012 07:49 AM, Rainer Jung wrote: > On 14.06.2012 21:45, Martin Grotzke wrote: >> Wouldn't it be more safe for users that are not aware of this fact to >> always generate a new sessionId? > > Empty session path was originally meant to support a portal situation. > Using it there would be only one session cookie valid for all contexts, > because all sessions of a user would have the same ID.
Ok, makes sense. > Usually the feature shouldn't be used for resuing a session id after > invalidation but more for having all contexts using the same session id. > I think this is no longer necessary, because the cookies is configurable > per context now (e.g. its name). If it's not intended that after session.invalidate() a request.getSession() returns a session with the same id the catalina request would just have to store that the requestedSessionIdWasInvalidated so that in doGetSession it checks additionally this property before invoking manager.createSession(getRequestedSessionId()); Shall I submit an issue for this? Cheers, Martin
signature.asc
Description: OpenPGP digital signature
