session.invalidate(); session = request.getSession(true); The new session will have the same session id.
Bill Barker <[EMAIL PROTECTED]> wrote: "Dave" wrote in message news:[EMAIL PROTECTED] > Hi, > > I am using JBoss 4.0.5GA. Cookie-based session tracking is used. > Starting with http, when user clicks login, redirect to https, but the > same session id is used for https. It is not safe. > > after calling session.invalidate(), the sessoin id in the cookie is used > for https. > > If the jsessionid cookie is set to empty string after > session.invalidate() > > session.invalidate(); > Cookie cookie = new Cookie("jsessionid", ""); > response.addCookie(cookie); > Why not simply: session.invalidate(); session = request.getSession(true); > The jsessionid cookie is changed to the empty string in browser. But the > empty string will be used to create the new https session. I hope tomcat > to generate a new unique session id. > > Is there a way to delete cookie? > for security reason, how to set a different session id for https when > redirecting from http to https? > > Thanks for help. > Dave > > > > --------------------------------- > Never miss a thing. Make Yahoo your homepage. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------- Looking for last minute shopping deals? Find them fast with Yahoo! Search.
