Hello, I am upgrading my applications from Tomcat 6.0.18 to 6.0.24 and come across the following problem with the protection mechanism against session fixation attacks. During authentication my Authenticator implementation requires access to the HTTP session before it invokes method register(request, response, principal, authType, username, password). When it accesses the HTTP session the Response is instructed to send Set-Cookie with a newly generated JSESSIONID and immediately after that - as part of the register method invocation - the Request is instructed to change the JSESSIONID. The problem is that Request.changeSessionId does not check whether the response is already instructed to issue a Set-Cookie header for the session ID and simply adds a second cookie to be sent to the browser. The HTTP response contains two Set-Cookie headers for JSESSIONID with different values, where the second is the newest one. As MS IE uses the first cookie it receives it is not able to connect to the session with next requests.
I tried to find information on this problem in the documentation, bug database, etc, but with no success. Is this issue already known or should I report it as a bug? Kind regards, Stephan