>>>>>> On Tue, 2012-01-17 at 17:36 -0800, Shing Wai Chan wrote:
>>>> I notice one more different: a String argument.
>>>> In Tomcat (and also GlassFish), we have
>>>> org.apache.catalina.connector.Request#changeSessionId(String newSessionId)
>>> In my opinion the session ids must be container managed. We can't rely on the users
>>> of the API to be able to generate good IDs. I am not in favour of letting users
>>> generate Ids.
>> Agreed. org.apache.catalina.connector.Request is an internal class and
>> could easily be refactored to not take the new session ID.
>>
>>>> In other words, the caller of the API need to know a newSessionId as follows:
>>>> a) javax.servlet.http.HttpServletRequest:
>>>> public void changeSessionId(String newSessionId);
>>> -1. See above.
>> Agreed. -1 to the API allowing the new ID to be specified.
>>
>>> public void changeSessionId() is OK.
>>>
>>> public String changeSessionId() can be considered as alternative.
>>>
>>> It's likely that the new sessionId will be needed right after it's generated.
>> I have no issues with this proposed change.
>>
>> Mark
> Agreed to have this on HttpServletRequest.
>>> Alex
>>>
>>>> Also, in previous bug comments and discussion, there is a suggestion to add a new method:
>>>> b) javax.servlet.http.HttpSessionListener
>>>> public void sessionIdChanged(HttpSessionEvent se);
>>>>
>>>> Note that (b) may break some of the user applications. Is it ok?
I am not sure I understand how it breaks existing apps.
Alex
>>>>
>>>> Shing Wai Chan
>>>>
>>>>
>>>>
> I feel the change of session id has to be notified. Since adding it in HttpSessionListener might break the interface. How about introducing an standard 'javax.servlet.http.session.id' session attribute and notify using :
> javax.servlet.http.HttpSessionAttributeListener
> void attributeAdded(javax.servlet.http.HttpSessionBindingEvent event);
> void attributeReplaced(javax.servlet.http.HttpSessionBindingEvent event);
>
>>
>
>