Re: [undertow-dev] sessionId changes between requests?

From: "Bill Burke" <bburke(a)redhat.com&gt; To: undertow-dev(a)lists.jboss.org Sent: Friday, 22 January, 2016 11:44:53 AM Subject: Re: [undertow-dev] sessionId changes between requests? Ok, found it. setChangeSessionIdOnLogin() Can I ask why this is done? Security reasons? To change the cookie? If it is to change the cookie, would be really good in the future to decouple the session cookie value from the session id so that plugins, like Keycloak, that are remotely managing and monitoring sessions can still do so without creating a security hole. On 1/21/2016 6:10 PM, Bill Burke wrote: > Does a HttpSession ID change between requests? We are storing the > current HttpSession ID at our IDP after login, then transmitting back to > the app in a background HTTP request, looking up the session and then > invalidating it. This used to work on Wildfly 8 and 9, in 10, looks like > it is not the same http session. > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ undertow-dev mailing list undertow-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/undertow-dev