Hi, can I force Tomcat to change session id from my application code? I know that in Tomcat7 there is a "changeSessionIdOnAuthentication" attribute that can be used with container managed security, but how can I protect my application from session fixation attacks if I don't use container managed security? Invalidating session, creating new session and copying session attributes is expensive and does't work with some libraries, e.g. OpenWebBeans store session objects to HttpSession only before passivation for performance reasons.
Regards, Pavel --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org