Hi,
I am using JBoss 4.0.5GA. Cookie-based session tracking is used.
Starting with http, when user clicks login, redirect to https, but the same
session id is used for https. It is not safe.
after calling session.invalidate(), the sessoin id in the cookie is used for
https.
If the jsessionid cookie is set to empty string after session.invalidate()
session.invalidate();
Cookie cookie = new Cookie("jsessionid", "");
response.addCookie(cookie);
The jsessionid cookie is changed to the empty string in browser. But the
empty string will be used to create the new https session. I hope tomcat to
generate a new unique session id.
Is there a way to delete cookie?
for security reason, how to set a different session id for https when
redirecting from http to https?
Thanks for help.
Dave
---------------------------------
Never miss a thing. Make Yahoo your homepage.
