Hi all, Right now we're running our application in Tomcat and using hazelcast to share information across our multiple instances. In an attempt to prevent session fixation I implemented a tomcat valve which invalidates sessions when a user authenticates (or in this case, just visits the authentication endpoints). This is causing an issuue where our application proper isn't getting notified of invalidated sessions and they're hanging around in the hazelcast map.
I tried everything I could to fix the session fixation problem within the scope of my application but no matter what I did it seemed like tomcat would persist a users session even after invalidating it, so this was my solution, and of course I face an equally annoying and difficult problem. We're using tomcat7, apache 2.2 / mod_jk to load balance, spring 3.1, and hazelcast 2.2 Any and all advice / tips / scorn appreciated. :-) Joseph Bleau
