From: Shing Wai Chan <shing.wai.chan_at_oracle.com>
Date: Mon, 09 Jul 2012 13:52:17 -0700

Hi,

Before EDR, there were discussions about the adding a API to change session.
Let me summarize what we have discussion:

I. change session id API - three options was discussed
A. add API to HttpSession
         String changeId(); // return the id
B. add API to HttpSession
     a. String changeId(HttpServletRequest req);
     b. String changeId(HttpServletRequest req, HttpServletResponse res);
C . add API to HttpServletRequest
         String changeSessionId();

My preference would be (c).

II. event - three options are discussed
A. add API to HttpSessionListener // will break backward compatibility
     a. void sessionIdChanged (HttpSessionEvent se);
     b. void sessionIdChanged(HttpSessionEvent se, String oldSessionId);
B. add attribute javax.servlet.http.session.id attribute
     and notify using
javax.servlet.http.HttpSessionAttributeListener#attributeAdded,
#attributeReplaced
C. add a new listener, HttpSessionIdListener
         void sessionIdChanged(HttpSessionEvent se, String oldSessionId);

I prefer (c).

Any comments?
Shing Wai Chan