tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: TCP connections and HTTP sessions
Date Sat, 24 Jan 2009 23:10:45 GMT
Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: Re: TCP connections and HTTP sessions
>>
>> Some proxies/firewalls etc.. may even apparently use a single TCP
>> connection to the back-end server, to serve requests from different
>> clients.
> 
> I've never seen that, and it would be a serious breach of security, making sessions,
cookies, and other such mechanisms useless.  Proxies will almost always use the same IP address,
but will separate clients by port number.
> 
I did not say that this was recommended practice, nor even that it was 
not a bug.  But I am positive that I saw it mentioned in the last couple 
of months as something that happens.  I believe it might have been in 
some discussion relative to HTTP NTLM authentication, and indeed 
problems related to that fact (and hence security).

To nitpick, I don't think it would influence cookies per se.  Cookies 
work fine even when the connection is reset and re-established, and do 
not to my knowledge relate to ports (nor even in fact to IP addresses, 
only to hostnames and paths).
And I am wondering how it could influence "sessions", though I guess it 
depends a lot on the definition of what is a session.

Anyway, the point was that the OP seemed to confuse the idea of 
"application session" (in the sense of some application context saved at 
the server side between requests), and the existence of a persistent TCP 
connection and/or dedicated thread/child at the server side.
In my understanding (and I believe Chris's), there is no such link.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message