You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by BugRat Mail System <to...@cortexity.com> on 2000/10/03 10:53:03 UTC

BugRat Report #192 has been filed.

Bug report #192 has just been filed.

You can view the report at the following URL:

   <http://znutar.cortexity.com:8888/BugRatViewer/ShowReport/192>

REPORT #192 Details.

Project: Tomcat
Category: Bug Report
SubCategory: New Bug Report
Class: swbug
State: received
Priority: medium
Severity: serious
Confidence: public
Environment: 
   Release: Tomcat 3.1
   JVM Release: 1.2.2
   Operating System: Windows NT
   OS Release: 4.0
   Platform: Intel Pentium

Synopsis: 
request.getRequestedSessionId() does not return session ID requested by client

Description:
The request object's getRequestedSessionId() method returns the actual session ID, not the session ID requested by the client.
This is making it more difficult to identify and warn users who have cookies turned off, and to recognise session timeouts.
Other related methods are also affected. In particular isRequestedSessionIdValid() is always returning true, even with cookies turned off.
My understanding is that as Tomcat only supports session tracking using cookies, when they are turned off getRequestedSessionId() should return null, and isRequestedSessionIdValid() should return false.