Is there a way to force session to invalidate or not to be recognized
if the client IP changes? This is a PCI requirement so that if a
third obtains a valid session ID they cannot use it to re-establish
the original session with the server.
Based on tests I have run using resin 3.1.8, the default configuration
is seems that the session is maintained whenever the JSESSIONID cookie
contains a valid session id. In particular, I established a session
with the resin3.1 server, then changed my client IP, then reconnected
to the server and all session information was maintained.
Thanks in advance.
resin-interest mailing list