https://issues.apache.org/bugzilla/show_bug.cgi?id=51631
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
OS/Version| |All
--- Comment #2 from Mark Thomas <ma...@apache.org> 2011-08-08 10:17:35 UTC ---
Full file patches, especially when against old old version of the code, are a
complete pain to work with. That is why patches should be provided in diff -u
format. As far as I can tell, the attached patch adds a setter and getter for
alwaysUseSession.
The getter and setter are clearly missing so adding them is a good thing to do.
I'll get that done for 7.0.x and 6.0.x.
I fail to see how the session fixation protection is triggering session data
loss. All it ever does is change the session ID, if a session already exists.
It never, ever, creates a new session. For example, Tomcat's Manager
application uses BASIC authentication and does not experience the problem
described here.
At the moment, this looks like an application issue that should be explored on
the users list. If that discussion identifies a Tomcat bug then this issue can
be re-opened and an explanation provided as to how to reproduce this issue.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
