New Session on Authentication?

[William Stranathan <sh...@gmail.com>]

Is there a configuration setting to force Tomcat to expire the old
session and put the user in a new one when they log in using any of
the Realm's?  For example, this is a problem:

- User tries to access a restricted page - no session set up
- Tomcat redirects to the login page, appends ;jsessionid=<id> to the URL
- User successfully authenticates

Now, a URL with a valid session ID is in the user's history, might be
logged, and an unknowing user could copy/paste that URL to somebody
say in a newsgroup or something.

I'm using mod-rewrite on an Apache server in front of Tomcat to fix
the jsessionid going in the URL, but is there any way to force Tomcat
to make a new session upon authentication?  I know that this is not
always desirable - a user may have preferences in their session before
they authenticate, so I think it should be optional.

Thanks for any help.
Will Stranathn

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org