Should keep session content rather than session object after programmatic login

[glassfishrobot]

The following issue is raised by Jan Bartel janb@intalio.com.
See email discussion in users@servlet-spec.java.net .

In p.141 of 13.10 "Login and Logout" of Servlet 3.0 spec, it has:
"If a developer creates a session while a user is not authenticated, and the container then authenticates the user, the session visible to developer code after login must be the same session object that was created prior to login occurring so that there is no loss of session information."

The session content rather than the session object must be kept.
So, it is a bug in the spec.

[glassfishrobot]

@glassfishrobot Commented
Reported by @shingwaichan

[glassfishrobot]

@glassfishrobot Commented
@shingwaichan said:
I have a second thought on the issue.
Consider the following:
session.setAttribute("a", A);
where A is an object that has a reference to session.
In this case, it would be better to keep the same object instance.

[glassfishrobot]

@glassfishrobot Commented
Marked as works as designed on Tuesday, October 9th 2012, 10:16:05 pm

[glassfishrobot]

@glassfishrobot Commented
This issue was imported from java.net JIRA SERVLET_SPEC-47

[glassfishrobot]

• Issue Imported From: https://github.com/javaee/servlet-spec/issues/47
• Original Issue Raised By:@glassfishrobot
• Original Issue Assigned To: @shingwaichan
• Original Issue Closed By:@glassfishrobot