Is there a configuration setting to force Tomcat to expire the old session and put the user in a new one when they log in using any of the Realm's? For example, this is a problem:
- User tries to access a restricted page - no session set up - Tomcat redirects to the login page, appends ;jsessionid=<id> to the URL - User successfully authenticates Now, a URL with a valid session ID is in the user's history, might be logged, and an unknowing user could copy/paste that URL to somebody say in a newsgroup or something. I'm using mod-rewrite on an Apache server in front of Tomcat to fix the jsessionid going in the URL, but is there any way to force Tomcat to make a new session upon authentication? I know that this is not always desirable - a user may have preferences in their session before they authenticate, so I think it should be optional. Thanks for any help. Will Stranathn --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
