Hi Martin,
On 14.06.2012 21:45, Martin Grotzke wrote:
Hi,
I'm wondering why Manager.createSession(String) takes a sessionId that
gets set on the new session.
When a client invokes session.invalidate() and afterwards
request.getSession() he will get a new session with the same/previous
session id (yes, this is only done when the sessionId was submitted via
cookie, and only when "empty session path" flag is set in tc6 or the
session is bound to "/" in tc7).
I'm wondering why the sessionId is reused at all - what's the use case
for this?
Wouldn't it be more safe for users that are not aware of this fact to
always generate a new sessionId?
Empty session path was originally meant to support a portal situation.
Using it there would be only one session cookie valid for all contexts,
because all sessions of a user would have the same ID.
But empty session path is supposed to provide more problems than solve
it, so it is good practise to not enable it.
Don't know the exact reasoning for TC 7.
Usually the feature shouldn't be used for resuing a session id after
invalidation but more for having all contexts using the same session id.
I think this is no longer necessary, because the cookies is configurable
per context now (e.g. its name).
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
