Is there a way to force session to invalidate or not to be recognized if the client IP changes? This is a PCI requirement so that if a third obtains a valid session ID they cannot use it to re-establish the original session with the server.

Based on tests I have run using resin 3.1.8, the default configuration is seems that the session is maintained whenever the JSESSIONID cookie contains a valid session id. In particular, I established a session with the resin3.1 server, then changed my client IP, then reconnected to the server and all session information was maintained.

Thanks in advance.
resin-interest mailing list

Reply via email to