Hey guys,
I need to know which class in Tomcat (6.x) is responsible for placing the SessionID either into a cookie or appending it to the request. Is this done after all Filters are passed?
I need to modify the SessionID before the response is sent to the browser...
The session ID is set by the Tomcat Session Manager - there are a number of different implementations. If you change the session ID during the execution of your app you might break some of the assumptions that were made by the Session Manager.
To change the ID you have to implement your own Session Manager. The "standard" way to do this is to extend ManagerBase. You could also extend StandardManager and override generateSessionId(). To get Tomcat to use your custom Session Manager, have a look at the Context and Manager configuration in server.xml
Be very careful when generating your own session IDs. There is no for a server to know whether an ID in a cookie is valid. If an attacker can guess your ID sequence he can steal sessions of other users by simply setting cookie values in his HTTP client.