tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arthur Veinstein" <Art...@telemessage.com>
Subject Re: Session and IP
Date Wed, 14 Aug 2002 11:23:57 GMT
Are you using some kind of hardware load balancer (Alteon etc) ?
If the answer is yes and it's configured for cookie rewrite (based on ip) ,
then this is exactly the reason why the session are shared

We had the same problem while configured with this kind of configuration

Arthur
----- Original Message -----
From: "Roland Carlsson" <roland.c@swetravel.se>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Sent: Wednesday, August 14, 2002 11:35 AM
Subject: Re: Session and IP


> Thanks for your answer.
>
> We are not using url-encoding, only cookies.
>
> Is it possible that a proxy can catch the page and fool the cookie system?
> We have not set any commands to proxys but the default that tomcat uses?
>
> Thanks
> Roland Carlsson
>
>
> ----- Original Message -----
> From: "Andreas Mohrig" <andreas.mohrig@cadooz.de>
> To: "'Tomcat Users List'" <tomcat-user@jakarta.apache.org>
> Sent: Wednesday, August 14, 2002 11:31 AM
> Subject: RE: Session and IP
>
>
> > Afaik tomcat uses either cookies or url-encoding to get the session-id
> from
> > the users requesting a resource, which has nothing to do with the ip
> > address. The only circumstances I could imagine therefore are two
> differente
> > browsers having installed the same session-cookie (which is quite
unlikely
> > and would require the users to actively copy those cookie from one
machine
> > to the other) or (which is much more likely) two users using the same
> > encoded urls. This might happen if one user sends another the
complete(!)
> > link containing the session id by copying it out of the address-field of
> his
> > browser, e.g.:
> >
> >
>
http://www.yourserver.com/yourcontext/someresource.jsp;jsessionid=C21CC5E4A5
> > 890818B3E56426925E86F9
> >
> > This would let the other user share the same session as long as it has
not
> > timed out.
> >
> > best regards
> >
> > Andreas Mohrig
> >
> > -----Original Message-----
> > From: Roland Carlsson [mailto:roland.c@swetravel.se]
> > Sent: Wednesday, August 14, 2002 11:20 AM
> > To: Tomcat Users List
> > Subject: Session and IP
> >
> >
> > Hi!
> > I'm trying to trace a strange behavior from a couple of error reports
from
> > the users of a system.
> >
> > The problem is that they seems to share the same session on our server.
> > Different computers, on different location, sharing a public ip-number
> > (corporate intranet through VPN to a single internet-node).
> >
> > The company has IE4 as their default browser.
> >
> > My questions are:
> >
> > Is it possible that tomcat let those users share the same session since
> they
> > share the same public IP-number? Under what circumstances would that
> > behavior occur?
> >
> > Thanks in advance
> > Roland Carlsson
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> > <mailto:tomcat-user-help@jakarta.apache.org>
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> <mailto:tomcat-user-help@jakarta.apache.org>
> >
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message