Hi Felix, thank you very much for that hint.
> When a session gets 'authenticated' its id will change to prevent > session fixation attacks. If you are interested in the events telling > you the change you have two possibilities: ok, that explain, what I see :-) > 1. Use servlet api 3.1 and use a HttpSessionIdListener (which means > upgrading to tomcat 8 or newer) That's an option for the next release, not for now. > 2. Use a ContainerListener. I took the 'org.apache.catalina.ContainerListener' and implement the interface in my own SessionListener, but I got no container event there. Is this the interface and the right place for the implementation? best regards Arno --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org