tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Mohrig <>
Subject RE: Session and IP
Date Wed, 14 Aug 2002 09:31:24 GMT
Afaik tomcat uses either cookies or url-encoding to get the session-id from
the users requesting a resource, which has nothing to do with the ip
address. The only circumstances I could imagine therefore are two differente
browsers having installed the same session-cookie (which is quite unlikely
and would require the users to actively copy those cookie from one machine
to the other) or (which is much more likely) two users using the same
encoded urls. This might happen if one user sends another the complete(!)
link containing the session id by copying it out of the address-field of his
browser, e.g.:;jsessionid=C21CC5E4A5

This would let the other user share the same session as long as it has not
timed out.

best regards

Andreas Mohrig

-----Original Message-----
From: Roland Carlsson []
Sent: Wednesday, August 14, 2002 11:20 AM
To: Tomcat Users List
Subject: Session and IP

I'm trying to trace a strange behavior from a couple of error reports from
the users of a system.

The problem is that they seems to share the same session on our server.
Different computers, on different location, sharing a public ip-number
(corporate intranet through VPN to a single internet-node).

The company has IE4 as their default browser.

My questions are:

Is it possible that tomcat let those users share the same session since they
share the same public IP-number? Under what circumstances would that
behavior occur?

Thanks in advance
Roland Carlsson

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message