> From: bradford [mailto:fingerm...@gmail.com]
> Subject: Re: session fixation bug fix - questions
> What type of authentication are you referring to?
Any container-managed authentication. If your webapp is doing its own, then
you're in control.
> Are you talking about th
Thanks, Mark. What type of authentication are you referring to? Are
you talking about the first time they access the Tomcat server? Or
some sort of authentication I control in my application code?
I would like to use this feature. Should I just turn it on and see
what happens? Is there a test
On 10/03/2011 18:03, bradford wrote:
> I see that a session fixation fix [1] was backported into 5.5.29, but
> is disabled by default.
>
> 1) Why is this disabled by default?
Because things may blow up. Apps should handle this but...
> 2) Can I just turn it on and have all my problems solved? O
I see that a session fixation fix [1] was backported into 5.5.29, but
is disabled by default.
1) Why is this disabled by default?
2) Can I just turn it on and have all my problems solved? Or could
things blow up?
3) What is the authentication step the bug fix is referring to?
[1] https://issues.
