On Thu, May 29, 2014 at 12:16 PM, Christopher Schultz <ch...@christopherschultz.net> wrote: > Do you mean that you have a web application that does this: > > session.invalidate(); > session = request.getSession(true); > > ... and the old session is in fact not invalidated?
Yes. Specifics to make this happen seem to be: TC 7.0.54 in a cluster, Tapestry 5.2.6 + Tapestry Spring Security. 7.0.53 is OK. 7.0.54 standalone is OK Tapestry App without spring security is OK. Plain old servlet apps work fine. > Please demonstrate that the session is in fact not validated. Given > your description, if this is really happening, it should be trivial to > create a test-case. Yes, just haven't had the time yet. -Dave --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org