Luis, > I am using the url rewriting method for session maintenance, but when a > timeout occurs in my web application, tomcat sets a cookie named > jsessionid (used for session tracking purposes) with a new session id > value before redirecting the user to the login page. This jsessionid > cookie value does not match the previous session id, it is a new one, > and is also different from the new one created in the (re)login > process.
This is expected behavior. > Why does this happen? Does tomcat always create a jsessionid cookie > when a timeout occurs? And if this is a tomcat issue, how do I disallow > this (if it is possible, anyway)? Tomcat is creating a new session in this case because it is redirecting the user to the login page, and wants to make sure that the original request (the one that was intercepted in order to take the user to the login page) is fulfilled. It does this by storing that information in the session (or, if not actually /in/ the session, it is at least /related/ to the session). So, Tomcat is preparing for a login, and creates a session to handle everything. If you want to disable session creation, I think you are going to have to turn off container-managed authentication (and then you'll have to implement your own). -chris
signature.asc
Description: OpenPGP digital signature
