https://bz.apache.org/bugzilla/show_bug.cgi?id=60854
--- Comment #2 from Jan Engehausen <smurf...@gmail.com> --- Hello Remy, as far as I understand, session fixation prevention is there to change the session ID when a session becomes authenticated. That's good. But without a session to begin with, then being authenticated right away, why change the session ID on the next response? There is no need for this - what does this protect against? This is appears unneccessary. Furthermore, turning principal caching off (cache=false and changeSessionIdOnAuthentication=true) causes ANY response to set a new session ID cookie. Is that really intended? Thanks, Jan -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
