On Mon, 2012-07-09 at 13:52 -0700, Shing Wai Chan wrote:
> Hi,
>
> Before EDR, there were discussions about the adding a API to change session.
> Let me summarize what we have discussion:
>
> I. change session id API - three options was discussed
> A. add API to HttpSession
> String changeId(); // return the id
> B. add API to HttpSession
> a. String changeId(HttpServletRequest req);
> b. String changeId(HttpServletRequest req, HttpServletResponse res);
> C . add API to HttpServletRequest
> String changeSessionId();
>
> My preference would be (c).
+1
> II. event - three options are discussed
> A. add API to HttpSessionListener // will break backward compatibility
> a. void sessionIdChanged (HttpSessionEvent se);
> b. void sessionIdChanged(HttpSessionEvent se, String oldSessionId);
> B. add attribute javax.servlet.http.session.id attribute
> and notify using
> javax.servlet.http.HttpSessionAttributeListener#attributeAdded,
> #attributeReplaced
> C. add a new listener, HttpSessionIdListener
> void sessionIdChanged(HttpSessionEvent se, String oldSessionId);
>
> I prefer (c).
Another listener type has a cost, but B is bad and A is not possible. So
C looks the best of the three options here.
--
Remy Maucherat <rmaucher_at_redhat.com>
Red Hat Inc