On 18/04/2011 10:13, Remy Maucherat wrote: > On Sat, 2011-04-16 at 22:25 +0000, ma...@apache.org wrote: >> Author: markt >> Date: Sat Apr 16 22:25:28 2011 >> New Revision: 1094069 >> >> URL: http://svn.apache.org/viewvc?rev=1094069&view=rev >> Log: >> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51042 >> Don't trigger session creation listeners when changing the session ID during >> authentication. > > But the listeners have to be aware that the id changed.
Why? I have checked the Servlet spec and I don't see any event defined for "session ID changed". I also don't see anything (although I may have missed it) that says the ID must be constant. It Tomcat treats changing the ID as "session invalidated" followed by "session created" then the listeners would need to be notified (for both events) but that raises additional questions about events for object binding and attribute changes - all those events should probably be triggered as well since the attributes are essentially being removed from the old session and added to the new. That could be an expensive and unnecessary process for some applications. The previous behaviour only triggered a session created event for the new session ID. There was no corresponding session destroyed event for the old session ID. Regardless of whether we decide that events are required or not, the previous behaviour was wrong. My preference is to keep things simple and not trigger any events when the ID changes. Sessions aren't being invalidated or created so I think firing those events is more likely to cause problems for applications than not firing them. To date (AFAIR), there has been one issue reported on the users list (changing ID broke a Java applet - fixed by not changing the ID on authentication) and one bug (that session created is fired but not session destroyed - that triggered this fix). Once we agree on how to handle this, we need to make sure all session id changes (authentication, jvmRoute changes) are handled the same way. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
