If Resin does not implement it itself, implementing a filter that  
stores the IP in the session and checks on each request before passing  
the request along should not be difficult. I don't know if Resin  
already provides such a feature.


S'està citant Rafael Escolar | Bookassist <rafael.esco...@bookassist.com>:

> Is there a way to force session to invalidate or not to be recognized
> if the client IP changes?  This is a PCI requirement so that if a
> third obtains a valid session ID they cannot use it to re-establish
> the original session with the server.
> Based on tests I have run using resin 3.1.8, the default configuration
> is seems that the session is maintained whenever the JSESSIONID cookie
> contains a valid session id. In particular, I established a session
> with the resin3.1 server, then changed my client IP, then reconnected
> to the server and all session information was maintained.
> Thanks in advance.
> Rafa.


resin-interest mailing list

Reply via email to