tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Session management issue with Tomcat
Date Thu, 22 Sep 2011 20:32:04 GMT
Just noticing something here, and ading my grain of salt :

Martin O'Shea wrote:
...

> 
> The underlying principle here is that if multiple users use the same PC, 

(with or without logging out/in ?)

and
> maybe even the same session in a browser, a single cookie is used to store a
> userid. Various system pages have a login facility and if invoked, the
> cookie is rewritten with the current user's id. But this is where the Back
> button issue occurs so it may be that session invalidation  solve my
> problem.
> 
I would tend to say that if multiple users use a PC, and they do not each login with their

own user-id, then the basic behaviour which you explain is to be expected.
These users share a single "user environment" on that PC, which includes the browser's 
history, cookies, and much more that that under Windows (think "recent documents", desktop

etc..).

I am not sure that the issue then is at your application level or at the Tomcat level.
It is more at the general usage (and security) policies level.
Morality : don't do that.

If users do logout and login on that PC each with his own user-id, that issue would not 
exist, because Windows keeps a separate "user profile" for each of these users, so they 
would never share a cookie e.g.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message