https://bz.apache.org/bugzilla/show_bug.cgi?id=64104
Christopher Schultz <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|NEW |RESOLVED --- Comment #1 from Christopher Schultz <[email protected]> --- This is a topic for the users' list. (In reply to Goyo from comment #0) > IMHO, thats "if any" should means that > the previous condition should be expressed as: if (expectedSessionId != > null && !expectedSessionId.equals(request.getRequestedSessionId())) > > shouldn't it? No. If there is no expected session id, then it should be expired. Your code would change the logic to "only expire if there was an expected session id AND it did not match". So non-matching session ids (expected != requested) would still be allowed, which is incorrect behavior. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
