After discussing with Mark T, I'm working on implementing HttpServletRequest.changeSessionId() and the calling of HttpSessionIdListeners as introduced in the Servlet 3.1 specification. I'd like to help and it seemed like a trivial enough item for me to tackle (I may regret saying that :-P).
Tomcat already has some utilities built-in for changing session IDs, so that helped me significantly. Currently I'm seeing that there are a couple places where session IDs can already change in Tomcat: - Request is authenticated via some container-provided mechanism and changeSessionIdOnAuthentication is enabled - A session ID is changed on one node in a cluster and it notifies the other nodes to do the same When any of these happen, Context.fireContainerEvent() is called with Context.CHANGE_SESSION_ID_EVENT. The Servlet 3.1 spec document doesn't deal with the new HttpSessionIdListener directly, but the javadoc for Servlet 3.1 says that all HttpSessionIdListeners will be of session ID changes. It doesn't say when HttpServletRequest.changeSessionId() is called, it says "about HttpSession ID changes". So, from where I standing, this means to me: - When HttpServletRequest.changeSessionId() is called and changes the session ID, OR the container authenticates a request and changeSessionIdOnAuthentication is enabled resulting in the session ID changing, OR a session ID is changed on one node in a cluster and it notifies the other nodes to do the same, or a session ID is changed for any other reason, HttpSessionIdListeners should be notified. - When HttpServletRequest.changeSessionId() is called and changes the session Id, Context.fireContainerEvent() should be called with Context.CHANGE_SESSION_ID_EVENT just like if the session ID were changed some other way. Does anyone disagree with this? This e-mail may contain privileged or confidential information. If you are not the intended recipient: (1) you may not disclose, use, distribute, copy or rely upon this message or attachment(s); and (2) please notify the sender by reply e-mail, and then delete this message and its attachment(s). Underwriters Laboratories Inc. and its affiliates disclaim all liability for any errors, omissions, corruption or virus in this message or any attachments. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
