[undertow-dev] sessionId changes between requests?
Bill Burke
bburke at redhat.com
Thu Jan 21 19:44:53 EST 2016
Ok, found it. setChangeSessionIdOnLogin()
Can I ask why this is done? Security reasons? To change the cookie?
If it is to change the cookie, would be really good in the future to
decouple the session cookie value from the session id so that plugins,
like Keycloak, that are remotely managing and monitoring sessions can
still do so without creating a security hole.
On 1/21/2016 6:10 PM, Bill Burke wrote:
> Does a HttpSession ID change between requests? We are storing the
> current HttpSession ID at our IDP after login, then transmitting back to
> the app in a background HTTP request, looking up the session and then
> invalidating it. This used to work on Wildfly 8 and 9, in 10, looks like
> it is not the same http session.
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the undertow-dev
mailing list