https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #16 from Rejeev Divakaran <rej...@gmail.com> 2009-09-23 09:47:24 PDT --- I think we have mis-understood Session fixation. disabling URL re-write will not solve session fixation. Please refer to http://www.owasp.org/index.php/Session_Fixation and http://rejeev.blogspot.com/2009/09/session-fixation_08.html The correct solution for Session fixation is to create new Session cookie each time an authentication happens (discard old cookie and send new cookie to client after authentication). -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org