Mark, I do not want to change how tomcat handle the sessionId. I want to create one little class that handle on the server side the cookie information that can come on the header, make a preprocessing which will create one another information that I want to put on the attributes of the request.
I do not want to change nothing on how tomcat handle session id. I just need to process the request header before tomcat use it, so I can make the operation and create a new attribute and put the session id that tomcat knows. I just need to know the first class on tomcat that receives the message from the client and the last one before send it to the client. Tks Juliano ----- Mensagem original ---- De: Mark Thomas <ma...@apache.org> Para: Tomcat Users List <users@tomcat.apache.org> Enviadas: Sexta-feira, 15 de Outubro de 2010 13:56:07 Assunto: Re: Res: Res: JSESSIONID Cookie handle customizing On 15/10/2010 17:47, Juliano Daloia de Carvalho wrote: > Chuck, I can't say explicit why I need to use this info on the session. but > is > related with security issues. > > and you are right, is much more plausible to make this as you said, but I > can't afford to do that. If you need to control the session ID then the right way to do this is to extend the Manager and override generateSessionId(). Anything else is going to be fragile, particularly when you factor in that Tomcat will change the session ID on authentication to prevent session fixation. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org