2011/7/14 Christopher Schultz <ch...@christopherschultz.net>: > > Konstantin, > > On 7/13/2011 8:54 PM, Konstantin Kolinko wrote: >> AFAIK, 1) Tomcat won't send Set-Cookie when session id is already >> known (either from this webapp or from webapp on its parent path >> such as ROOT). > > That would sound like a bug. If the session cookie's expiration date is > not "-1", then it needs to be updated with every response, no?
I cannot say without reading the letter of the spec. 1) Updating it with every response sounds lame. 2) max-age value should be consistent between all web applications that might share the session cookie. Otherwise there will be inconsistencies and breakages. 3) I think that there might be use case when max age is greater than zero, but app owner does not want to send it with each response. Is SSO cookie updated with each response? Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org