haskell/serversession
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add note about J2EE's invalidate.

Browse Source
This commit is contained in:
Felipe Lessa 2015-05-25 18:57:17 -03:00
parent f59656bc98
commit e27b932c17
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
serversession/src/Web/ServerSession/Core/Internal.hs
View File

@ -328,6 +328,11 @@ forceInvalidateKey = "serversession-force-invalidate"
-- | Which session IDs should be invalidated.
--
-- Note that this is not the same concept of invalidation as used
-- on J2EE. In this context, invalidation means creating a fresh
-- session ID for this user's session and disabling the old ID.
-- Its purpose is to avoid session fixation attacks.
data ForceInvalidate =
CurrentSessionId
-- ^ Invalidate the current session ID. The current session