-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David,
david delbecq wrote: | I would more be thinking about applications that plays with | sessionlistener and maintain list of active session (to track number of | users / who is logged in, etc). Like ip<->session id matching, a change | id on the fly could also break at several levels and should be | optional. Agreed. | Also, for example, of non-cookies enabled user, for which url | previous to login would become useless (or at least would point to a | non-existent session). True, but I would think that anyone sufficiently concerned about this particular issue would make arrangements for that possibility if they were going to employ a session-switcher thing. This is a problem whether you change the session id directly or change the session (and get a new id). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkexqPsACgkQ9CaO5/Lv0PBxbwCfehX9F9KxPs8tK7gJCgh3ctww nRYAn0Basg+wi6imjK5aFqjQE1f0BAOL =85D4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]