On Fri, Dec 18, 2015 at 4:36 PM, Mark Thomas <[email protected]> wrote:
> On 18 December 2015 20:21:12 GMT+00:00, Jason Rivard <[email protected]> > wrote: [snip] > > You can use sessionCookiePathUsesTrailingSlash on the Context to fix the > session problem but be aware of the security risks if you have contexts > with common prefixes. > > We might need to rethink the defaults of these inter-related Context > options to get a set that it self-consistent and secure. > > Mark Yes, I'm pretty sure that would fix the problem as well, but has the security risks you mention. From my perspective, this is more an issue about the default behavior changing. My existing binary app releases are broken when a newer version of tomcat is used - and that shouldn't happen. Should I open a bug for this?
