Mark,
On 9 October 2012 22:45, Mark Thomas <markt_at_apache.org> wrote:
> On 09/10/2012 01:16, Shing Wai Chan wrote:
>> Let me clarify.
>> First I agree with Mark on the following:
>> * we can implement session fixation prevention issue when the session is
>> the "same" after calling request#changeSessionId.
>> * it is up to implementation on what to do. It may or may not call
>> request#changeSessionId.
>>
>> The question that I had was whether we should retain the same session
>> object instance.
>> At the beginning, I have a concern on having a requirement of having the
>> same object instance in the HA environment.
>> But on the second thought, it should be.
>> Otherwise, objects implement HttpSessionBindingListener will be invoked
>> again which may have other side effect.
>
> Certainly keeping the object the same is the simplest way of
> implementing the requirement but that isn't the actual requirement. The
> actual requirement is:
> - session ID changes
> - session content unchanged
> - event for changed session ID is fired
> - no other events are fired (session creation / destruction, attribute
> events etc)
These should all be stated in the specification - after all the whole
purpose of the spec is to be as precise as possible.
>
> It is simpler to keep the "same object" requirement and I am happy with
> the spec saying that.
>
> However, if someone has a good reason they want to relax the "same
> object" requirement then I have no objection as long as containers are
> free to use the same object if they wish.
I too don't have any preference one way or the other (although object
equality may make intuitive sense). I just want both Request.login()
and Request.changeId() to be specified in a logical, clear and
unambiguous manner.
Jan
>
> Mark
>
--
Jan Bartel <janb_at_intalio.com>
www.webtide.com – Developer advice, services and support
from the Jetty & CometD experts.