Is there a way to force session to invalidate or not to be recognized if the client IP changes? This is a PCI requirement so that if a third obtains a valid session ID they cannot use it to re-establish the original session with the server.

Based on tests I have run using resin 3.1.8, the default configuration is seems that the session is maintained whenever the JSESSIONID cookie contains a valid session id. In particular, I established a session with the resin3.1 server, then changed my client IP, then reconnected to the server and all session information was maintained.


Thanks in advance.
Rafa.
_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Reply via email to