DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions ------- Additional Comments From [EMAIL PROTECTED] 2004-02-08 15:38 ------- I agree, that when we can use cookies, session IDs from cookies should be preferred. Preferring URL rewritten session IDs over cookies has only be a potential point of discussion (see first comment). But IMHO if all session IDs read from cookies are bogus and the session ID from the URL is a valid one, then tomcat should go for the valid one. So its not a matter of 'use cookies' or 'use URL-rewriting' but 'use a valid session id gotten from the client while valid session cookies override session IDs from the URL'. If you do the check as pointed out in your message from 2004-02-08 10:43, this is almost it as I understand it.. ..If you do not override a valid session ID with an invalid one from a cookie. "Be lenient with what you consume, be pedantic and accurate with what you create." -- Jon Postel --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]