https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #12 from Folke B. <f...@toxis.com> 2009-04-27 09:08:54 PST --- (In reply to comment #11) > The Servlet 3.0 spec (ie Tomcat 7 / trunk) includes this as part of the spec. > Look for javax.servlet.SessionTrackingMode > > I think this will do everything you are looking for, although it does mean > waiting for Tomcat 7. Sadly, Tomcat 7 may not be an option for many of us for a long time. I had to fight really hard for the switch to Tomcat 6. Please reconsider applying this small patch to Tomcat 6 because session fixation is a real threat. Though it's reassuring to have Tomcat abide by the rules by default, it wouldn't hurt to give users more options, even spec breaking options, especially when it comes to security. I'd rather have Tomcat warn me that the webapp is deployed into a non-compliant context than putting my client's data at risk. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
