Re: Security Issue with built-in form-based login

Hi Alan,

Another way around this may be to set "reuse-session-id" to false in your
session-config. By default, Resin re-uses the same session id every time you
login from the same computer. Setting this to false should make Resin
generate a new session id for every login.

--jeff

----- Original Message -----
From: "Alan Wright" <alan.wright@xxx.com>
To: <resin-interest@xxx.com>
Sent: Thursday, April 18, 2002 5:32 AM
Subject: Re: Security Issue with built-in form-based login

> Hi Tibi,
>
> Invalidating the session in the login.jsp page has resolved my problem
> beautifully - thanks.
>
> Alan
>
>
>
> Tiberiu Fustos wrote:
>
> >It would be good to know if that did the trick. BTW: I do have a custom
> >authenticator, but I still invalidate the session in the login page...it
> >works for now, including with Resin 2.1.0.
> >
>
>
Received on Thu 18 Apr 2002 11:10:24 -0700