force new session ID, but don't invalidate session

andy.2003 May 12, 2006 7:54 AM

Hello,

is there a way to generate a new Session ID without invalidating the current session? I read some article about session hijacking, and the main conclusion was, to always generate a new session ID if the security level increase. So if a not logged in user already got a session and he's logging in, he should receive a new session Id.

cheers
- Andreas

1. Re: force new session ID, but don't invalidate session

gavin.king May 12, 2006 1:33 PM (in response to andy.2003)

No idea, but it's a Tomcat question...
Actions