Thats a problem in your server code... Session is binded to a connection (browser session) basically, not a machine. If you open a second browser (or a second tab) you should get a different session-id. Don't use JSESSIONID in url parameters, but in session cookie (unless you need to cross protocols like http <-> https)
For security, you will have to bind an 'ending' date to the session's authentication. Nicolas Romantzoff General Manager Tél.: (+33) 478 53 65 17 -----Original Message----- From: Vishnu Vardhana Reddy [mailto:vishnu...@gmail.com] Sent: Friday, 19 December, 2008 12:55 To: users@tomcat.apache.org Subject: how to invalidate old sessions when new user access appl on same machine hi all, I am using Mozilla browser to access my web application.User one access my application using his credentials .but i left that browser open.after that I am opening the another Mozilla window and accessing my application using different credentials ex:user2 credentials .user 2 also can access my application.but when i open the first browser ..am automatically getting second user session.how can we avoid this problem. Application is using session identifier(jSessionID) as the URL parameter for session management. is it possible to invalidate the old session when new user access on same machine. thanks, Vishnu -- View this message in context: http://www.nabble.com/how-to-invalidate-old-sessions-when-new-user-access-ap pl-on-same-machine-tp21090090p21090090.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _____ avast! Antivirus <http://www.avast.com> : Outbound message clean. Virus Database (VPS): 081218-0, 2008-12-18 Tested on: 2008-12-19 13:54:20 avast! - copyright (c) 1988-2008 ALWIL Software. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org