From: <glassfish_at_javadesktop.org>
Date: Thu, 18 Sep 2008 19:45:48 PDT

Just to summarize: I don't think there is any issue here. It is unfortunate that the resumed request will inherit (from the original request) a cookie with a JSESSIONID that does not match the currently active session (that was created by the FormAuthenticator when it forced a re-login), but as far as I can tell, the stale JSESSIONID cookie will not interfere with the currently active session in any way.

I have created a unit test under

  https://svn.dev.java.net/svn/glassfish-svn/trunk/v2/appserv-tests/devtests/web/formLoginAccessSessionOnResumedRequest

to prove the case.

Please let me know if you have any additional comments.

Thanks,

Jan
[Message sent by forum member 'jluehe' (jluehe)]

http://forums.java.net/jive/thread.jspa?messageID=300276