Hi,
The 3.0 Spec sec 13.10 Login and Logout, page 145 says:
"If a developer creates a session while a user is not authenticated,
and the container then
authenticates the user, the session visible to developer code after
login must be the
same session object that was created prior to login occurring so that
there is no loss
of session information."
Does that mean that if a session exists before a user called
Request.login(), the container cannot implement session fixation
prevention and change the session id automatically? If
changing the session id is actually permitted, should the above clause
be taken to mean that the object must actually the one and the same?
Ie that sessionPrev == sessionNew ?
Alternatively is the container not permitted to implement automatic
session fixation prevention, and callers of Request.login() must
explicitly call Request.changeSessionId()?
Jan
--
Jan Bartel <janb_at_intalio.com>
www.webtide.com – Developer advice, services and support
from the Jetty & CometD experts.