On 09/10/2012 01:16, Shing Wai Chan wrote:
> Let me clarify.
> First I agree with Mark on the following:
> * we can implement session fixation prevention issue when the session is
> the "same" after calling request#changeSessionId.
> * it is up to implementation on what to do. It may or may not call
> request#changeSessionId.
>
> The question that I had was whether we should retain the same session
> object instance.
> At the beginning, I have a concern on having a requirement of having the
> same object instance in the HA environment.
> But on the second thought, it should be.
> Otherwise, objects implement HttpSessionBindingListener will be invoked
> again which may have other side effect.
Certainly keeping the object the same is the simplest way of
implementing the requirement but that isn't the actual requirement. The
actual requirement is:
- session ID changes
- session content unchanged
- event for changed session ID is fired
- no other events are fired (session creation / destruction, attribute
events etc)
It is simpler to keep the "same object" requirement and I am happy with
the spec saying that.
However, if someone has a good reason they want to relax the "same
object" requirement then I have no objection as long as containers are
free to use the same object if they wish.
Mark