On 25/01/2012 02:43, Alex Rojkov wrote:
> I don't think it should be default behaviour because it definitely breaks the session id contracts
> established by previous versions of the spec.
Whether or not the session id is changed on authentication should be up
to the container. My own view is that they should but I only get a vote
on what Tomcat does. The specification should not mandate either doing
this or not doing this.
> So adding the method onto an HttpSessionListener is fine and no need to create an extra class.
I'm happy with doing this and letting the containers make the decision
re backwards compatibility. I'd also be happy with a new interface.
Mark