https://bz.apache.org/bugzilla/show_bug.cgi?id=60854
--- Comment #4 from Jan Engehausen <smurf...@gmail.com> --- I see. I need to run this by my colleagues, hope it is okay to keep open until tomorrow. I would argue that in the case where authentication and session creation occur in the same request it would not be right to change the session ID on the second request (where no authentication occurs). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
