jsr340-experts@servlet-spec.java.net

[jsr340-experts] Re: SERVLET_SPEC-13: Make session fixation protection part of the spec

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Remy Maucherat <rmaucher_at_redhat.com>
Date: Mon, 30 Jan 2012 09:51:00 +0100

On Mon, 2012-01-30 at 17:00 +1100, Greg Wilkins wrote:
>
> I agree that adding a method to allow the application to provoke a
> session ID change is a good addition.
> However, I question why this is on the Request API? Surely it would
> be better on the HttpSession itself?

It is on the request object since the session cookie must be changed
too.

-- 
Remy Maucherat <rmaucher_at_redhat.com>
Red Hat Inc

This message: [ Message body ]
Next message: Shing Wai Chan: "[jsr340-experts] Re: [servlet-spec users] SERVLET_SPEC-6: Undefined behaviour for AsyncContext#getRequest() and getResponse() after timeout"
Previous message: Greg Wilkins: "[jsr340-experts] Re: SERVLET_SPEC-13: Make session fixation protection part of the spec"
In reply to: Greg Wilkins: "[jsr340-experts] Re: SERVLET_SPEC-13: Make session fixation protection part of the spec"
Next in thread: Greg Wilkins: "[jsr340-experts] Re: SERVLET_SPEC-13: Make session fixation protection part of the spec"
Reply: Greg Wilkins: "[jsr340-experts] Re: SERVLET_SPEC-13: Make session fixation protection part of the spec"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]