问题
I am using resin app server request.getSession.invalidate();reguest.getSession(true) is not working properly and its not resetting session ID while using Resin.
Also I am not able to use request.changeSessionId() as the resin version is not able to use JavaEE7 libraries.
Please share your views on how to resolve session fixation with Resin
回答1:
Resin 4.0.x doesn't implement Servlet 3.1 API.
Resin provides reuse-session-id configuration option that helps control session cookie behaviour.
http://caucho.com/resin-4.0/reference.xtp#session-config
来源:https://stackoverflow.com/questions/31662809/resolving-session-fixation-bug-fix-in-resin-app-server