Ok, found it. setChangeSessionIdOnLogin()
Can I ask why this is done? Security reasons? To change the cookie?
If it is to change the cookie, would be really good in the future to
decouple the session cookie value from the session id so that plugins,
like Keycloak, that are remotely managing and monitoring sessions can
still do so without creating a security hole.
On 1/21/2016 6:10 PM, Bill Burke wrote:
Does a HttpSession ID change between requests? We are storing the
current HttpSession ID at our IDP after login, then transmitting back to
the app in a background HTTP request, looking up the session and then
invalidating it. This used to work on Wildfly 8 and 9, in 10, looks like
it is not the same http session.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com