tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roland Carlsson" <rolan...@swetravel.se>
Subject Re: Session and IP
Date Wed, 14 Aug 2002 09:35:43 GMT
Thanks for your answer.

We are not using url-encoding, only cookies.

Is it possible that a proxy can catch the page and fool the cookie system?
We have not set any commands to proxys but the default that tomcat uses?

Thanks
Roland Carlsson


----- Original Message -----
From: "Andreas Mohrig" <andreas.mohrig@cadooz.de>
To: "'Tomcat Users List'" <tomcat-user@jakarta.apache.org>
Sent: Wednesday, August 14, 2002 11:31 AM
Subject: RE: Session and IP


> Afaik tomcat uses either cookies or url-encoding to get the session-id
from
> the users requesting a resource, which has nothing to do with the ip
> address. The only circumstances I could imagine therefore are two
differente
> browsers having installed the same session-cookie (which is quite unlikely
> and would require the users to actively copy those cookie from one machine
> to the other) or (which is much more likely) two users using the same
> encoded urls. This might happen if one user sends another the complete(!)
> link containing the session id by copying it out of the address-field of
his
> browser, e.g.:
>
>
http://www.yourserver.com/yourcontext/someresource.jsp;jsessionid=C21CC5E4A5
> 890818B3E56426925E86F9
>
> This would let the other user share the same session as long as it has not
> timed out.
>
> best regards
>
> Andreas Mohrig
>
> -----Original Message-----
> From: Roland Carlsson [mailto:roland.c@swetravel.se]
> Sent: Wednesday, August 14, 2002 11:20 AM
> To: Tomcat Users List
> Subject: Session and IP
>
>
> Hi!
> I'm trying to trace a strange behavior from a couple of error reports from
> the users of a system.
>
> The problem is that they seems to share the same session on our server.
> Different computers, on different location, sharing a public ip-number
> (corporate intranet through VPN to a single internet-node).
>
> The company has IE4 as their default browser.
>
> My questions are:
>
> Is it possible that tomcat let those users share the same session since
they
> share the same public IP-number? Under what circumstances would that
> behavior occur?
>
> Thanks in advance
> Roland Carlsson
>
>
> --
> To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:tomcat-user-help@jakarta.apache.org>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message