On Tue, 2012-01-17 at 17:36 -0800, Shing Wai Chan wrote:
> I am looking at http://java.net/jira/browse/SERVLET_SPEC-13
> ("SERVLET_SPEC-13: Make session fixation protection part of the spec")
As the container would use this automagically, it would break existing
applications (the session id is used often as a key).
The new changeSessionId API method, if added, must be added on the
request object (since the request has fields about the session that must
be updated, and a new cookie must be added). So -1 for adding it on
HttpSession, I think this won't work well.
--
Remy Maucherat <rmaucher_at_redhat.com>
Red Hat Inc