On 22/01/2012 06:50, Shing Wai Chan wrote:
> This method can be called by the authentication mechanism.
> For instance, it can be container implementation of form based login or
> a user defined JSR 196 auth modules.
>
> Shing Wai Chan
>
> The contents of the session will remain the same.
>
> On 1/21/12 2:20 PM, Jeff Williams wrote:
>> Will there be guidance to developers on when to use this method?
There will probably be some information (mainly for container
developers) indicating when the method should be used.
>> Could we require it to be called upon login?
We could, but we won't since using it can break existing apps. It should
be recommended for containers to use it by default on authentication
with an option to disable its use.
>> I assume that the contents of the session will remain unchanged?
Correct.
Mark
>>
>> --Jeff
>>
>>
>> -----Original Message-----
>> From: jsr340-experts-request_at_servlet-spec.java.net
>> [mailto:jsr340-experts-request_at_servlet-spec.java.net]
>> Sent: Saturday, January 21, 2012 4:19 AM
>> To: jsr340-experts_at_servlet-spec.java.net
>> Subject: Digest for list jsr340-experts_at_servlet-spec.java.net
>>
>> Table of contents:
>>
>> 1. [jsr340-experts] Re: SERVLET_SPEC-13: Make session fixation
>> protection part of the spec - Mark Thomas<markt_at_apache.org>
>>
>