-
15. Re: JSESSION ID is not changing after authentication
pferraro wrote:
bschatz wrote:
The jsessionid *must not* change after login,
this would violate the servlet specification. (Chapter Security, Login and Logout):
,, ...
Containers may create HTTP Session objects to track login state. If a developer
creates a session while a user is not authenticated, and the container then
authenticates the user, the session visible to developer code after login must be the
same session object that was created prior to login occurring so that there is no loss
of session information.''
So the behavour of wildfly is as specified.
I think you are misinterpreting the specification. This above snippet says nothing about the session identifier, only the session object. A session identifier is a property of a session object and can change independently. Thus the session object can be the same before and after login, even if the identifier changes. Nor is the old session identifier truly "lost", as it is available to registered HttpSessionIdListeners.
Good point, thx for the clarification.