https://issues.apache.org/bugzilla/show_bug.cgi?id=55521
--- Comment #1 from Mark Thomas <ma...@apache.org> --- I've taken a look at this and there are some things we can do in Tomcat to ensure that a call to invalidate() doesn't return until the session has been invalidated. However, there may still be an issue that needs fixing in Spring Security. Looking at SessionFixationProtectionStrategy.applySessionFixation() it is possible (although even less likely than the issue you have seen) for concurrent requests to generate a series of invalidate / create / invalidate / create etc. events. It is pretty unlikely but is possible. Since I work for Pivotal, I'll ping one of the developers. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
