[SERVLET_SPEC-47] Should keep session content rather than session object
after programmatic login Created: 05/Oct/12 Updated: 10/Oct/12 Resolved: 10/Oct/12
Status:
Project:
Component/s:
Affects
Version/s:
Fix Version/s:
Closed
servlet-spec
None
None
Type:
Reporter:
Resolution:
Labels:
Remaining
Estimate:
Time Spent:
Original
Estimate:
Bug
Shing Wai Chan
Works as designed
None
Not Specified
None
Priority:
Assignee:
Votes:
Major
Shing Wai Chan
0
Not Specified
Not Specified
Description
The following issue is raised by Jan Bartel <janb@intalio.com>.
See email discussion in users@servlet-spec.java.net .
In p.141 of 13.10 "Login and Logout" of Servlet 3.0 spec, it has:
"If a developer creates a session while a user is not authenticated, and the container then
authenticates the user, the session visible to developer code after login must be the same session
object that was created prior to login occurring so that there is no loss of session information."
The session content rather than the session object must be kept.
So, it is a bug in the spec.
Comments
Comment by Shing Wai Chan [ 10/Oct/12 ]
I have a second thought on the issue.
Consider the following:
session.setAttribute("a", A);
where A is an object that has a reference to session.
In this case, it would be better to keep the same object instance.
Generated at Tue Feb 09 16:00:19 UTC 2016 using JIRA 6.2.3#6260sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.