On Fri, Feb 19, 2010 at 12:02:18PM +0000, iainmac wrote:
> 
> Hi,
> 
> I have just moved from 5.0.18 to 6.0.24 using JSSE for SSL.
> 
> I have a web application that checks for a current session, and if there
> isn't one it sends the user to a login screen.  This is working fine from
> Explorer as it did before in the previous version of Tomcat, but it keeps
> saying the session is new in Firefox, Safari and Chrome.
> 
> In the jsp, this keeps taking me back to the login screen...
> 
>       if (session.getAttribute("userName")==null){
>               response.sendRedirect("login.jsp");
>               return;
>       }
>       
> Why would Explorer work and the others not?
> 
> Thanks,
> 
> Iain

You might want to review new protection Tomcat has against session
fixation, which was done in 6.0.21.

http://issues.apache.org/bugzilla/show_bug.cgi?id=45255

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to