On 14/09/2010 21:54, Christopher Schultz wrote:
> I encourage others to test other browsers. This was exhausting. :)
To add to the 'fun', recent Tomcat versions will change the session ID
(but not the session object) on authentication to prevent session
fixation attacks.
Mark
---
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 9/14/2010 12:30 PM, Mark Thomas wrote:
> On 14/09/2010 15:16, Christopher Schultz wrote:
>
> I'm in the middle of some major re-factoring so I don;t have time to
> actually test this...
>
>> 0. [Browser has two JSESSIONID cookies: one secur
