Thanks for your answer. We are not using url-encoding, only cookies.
Is it possible that a proxy can catch the page and fool the cookie system? We have not set any commands to proxys but the default that tomcat uses? Thanks Roland Carlsson ----- Original Message ----- From: "Andreas Mohrig" <[EMAIL PROTECTED]> To: "'Tomcat Users List'" <[EMAIL PROTECTED]> Sent: Wednesday, August 14, 2002 11:31 AM Subject: RE: Session and IP > Afaik tomcat uses either cookies or url-encoding to get the session-id from > the users requesting a resource, which has nothing to do with the ip > address. The only circumstances I could imagine therefore are two differente > browsers having installed the same session-cookie (which is quite unlikely > and would require the users to actively copy those cookie from one machine > to the other) or (which is much more likely) two users using the same > encoded urls. This might happen if one user sends another the complete(!) > link containing the session id by copying it out of the address-field of his > browser, e.g.: > > http://www.yourserver.com/yourcontext/someresource.jsp;jsessionid=C21CC5E4A5 > 890818B3E56426925E86F9 > > This would let the other user share the same session as long as it has not > timed out. > > best regards > > Andreas Mohrig > > -----Original Message----- > From: Roland Carlsson [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, August 14, 2002 11:20 AM > To: Tomcat Users List > Subject: Session and IP > > > Hi! > I'm trying to trace a strange behavior from a couple of error reports from > the users of a system. > > The problem is that they seems to share the same session on our server. > Different computers, on different location, sharing a public ip-number > (corporate intranet through VPN to a single internet-node). > > The company has IE4 as their default browser. > > My questions are: > > Is it possible that tomcat let those users share the same session since they > share the same public IP-number? Under what circumstances would that > behavior occur? > > Thanks in advance > Roland Carlsson > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
