should work without it on trunk: https://issues.apache.org/jira/browse/TOMEE-745
Note: the difference between your conf and the patch is the patch keep the "change session id" behavior (which is secure) *Romain Manni-Bucau* *Twitter: @rmannibucau <https://twitter.com/rmannibucau>* *Blog: **http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau* *Github: https://github.com/rmannibucau* 2013/1/21 William J. Eaton <[email protected]> > On Mon, 2013-01-21 at 14:33 -0600, José Luis Cetina wrote: > > If i remember this is the default behavior starting from Tomcat 6.0.x the > > "name" is Session Fixation Protection. i remember if you dont want > > this behavior you have to set to false the > changeSessionIdOnAuthentication > > attribue. > Thanks. That resolves the issue. When I add the Valve directive below > to context.xml, the application works as expected. > <Valve className="org.apache.catalina.authenticator.FormAuthenticator" > changeSessionIdOnAuthentication="false"/> > > -- > William J. Eaton, [email protected] (713) 202-1620 > LifeFormulae, LLC > 9119 Highway 6 South #228 > Missouri City, TX 77459 > > >
