Afaik tomcat uses either cookies or url-encoding to get the session-id from the users requesting a resource, which has nothing to do with the ip address. The only circumstances I could imagine therefore are two differente browsers having installed the same session-cookie (which is quite unlikely and would require the users to actively copy those cookie from one machine to the other) or (which is much more likely) two users using the same encoded urls. This might happen if one user sends another the complete(!) link containing the session id by copying it out of the address-field of his browser, e.g.:
http://www.yourserver.com/yourcontext/someresource.jsp;jsessionid=C21CC5E4A5 890818B3E56426925E86F9 This would let the other user share the same session as long as it has not timed out. best regards Andreas Mohrig -----Original Message----- From: Roland Carlsson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 14, 2002 11:20 AM To: Tomcat Users List Subject: Session and IP Hi! I'm trying to trace a strange behavior from a couple of error reports from the users of a system. The problem is that they seems to share the same session on our server. Different computers, on different location, sharing a public ip-number (corporate intranet through VPN to a single internet-node). The company has IE4 as their default browser. My questions are: Is it possible that tomcat let those users share the same session since they share the same public IP-number? Under what circumstances would that behavior occur? Thanks in advance Roland Carlsson -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
