[SERVLET_SPEC-47] Should keep session content rather than session object after programmatic login Created: 05/Oct/12  Updated: 10/Oct/12  Resolved: 10/Oct/12

Status: Closed
Project: servlet-spec
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Shing Wai Chan Assignee: Shing Wai Chan
Resolution: Works as designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The following issue is raised by Jan Bartel <janb@intalio.com>.
See email discussion in users@servlet-spec.java.net .

In p.141 of 13.10 "Login and Logout" of Servlet 3.0 spec, it has:
"If a developer creates a session while a user is not authenticated, and the container then authenticates the user, the session visible to developer code after login must be the same session object that was created prior to login occurring so that there is no loss of session information."

The session content rather than the session object must be kept.
So, it is a bug in the spec.



 Comments   
Comment by Shing Wai Chan [ 10/Oct/12 ]

I have a second thought on the issue.
Consider the following:
session.setAttribute("a", A);
where A is an object that has a reference to session.
In this case, it would be better to keep the same object instance.

Generated at Fri Sep 04 15:39:02 UTC 2015 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.