You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by William Stranathan <sh...@gmail.com> on 2005/04/06 16:49:23 UTC
New Session on Authentication?
Is there a configuration setting to force Tomcat to expire the old
session and put the user in a new one when they log in using any of
the Realm's? For example, this is a problem:
- User tries to access a restricted page - no session set up
- Tomcat redirects to the login page, appends ;jsessionid=<id> to the URL
- User successfully authenticates
Now, a URL with a valid session ID is in the user's history, might be
logged, and an unknowing user could copy/paste that URL to somebody
say in a newsgroup or something.
I'm using mod-rewrite on an Apache server in front of Tomcat to fix
the jsessionid going in the URL, but is there any way to force Tomcat
to make a new session upon authentication? I know that this is not
always desirable - a user may have preferences in their session before
they authenticate, so I think it should be optional.
Thanks for any help.
Will Stranathn
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org