https://issues.apache.org/bugzilla/show_bug.cgi?id=54340
--- Comment #2 from Koen Deforche <k...@emweb.be> --- Hey, Indeed, it looks like the same bug. I really did search the database, but, apparently, not good enough, so sorry for that. We will test with a more recent version (we tested with tomcat 7.0.26 and 7.0.28). >> On top of this (and perhaps related to these problems), in the actual web >> application a different session ID is actually printed. > >2. As expected. See "changeSessionIdOnAuthentication" in >http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html I do understand that the session ID is changed, however, I would have assumed that authentication happens when the credential are received, i.e. in the POST to j_security_check; and then a redirect happens to a URL with a new session ID. But this is not what is observed, instead it seems that either only the session ID is changed when the request arrives to the actual application, or, there is a mismatch between the session ID in the URL and the one that is reported by sessionID() ? The expected behavior (to me), which is seen in jetty, is that the first access to the actual application (after authentication) has a sessionId() reported that is equal to the session ID in the URL, but is possibly changed from a sessionId() that was used prior to authentication. Regards, koen -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
