On 30 January 2012 19:51, Remy Maucherat <rmaucher_at_redhat.com> wrote:
> On Mon, 2012-01-30 at 17:00 +1100, Greg Wilkins wrote:
> >
> > I agree that adding a method to allow the application to provoke a
> > session ID change is a good addition.
> > However, I question why this is on the Request API? Surely it would
> > be better on the HttpSession itself?
>
> It is on the request object since the session cookie must be changed
> too.
>
Unless you are not using cookies, in which case it is the response that has
to encode URIs with the new session ID.
Also,changing session cookies is done by adding a setCookie to the
response, so that is also not a request method.
Also as there are a lot more request wrappers than session wrappers, adding
methods to session should be less disruptive than adding them to request.