Are you using some kind of hardware load balancer (Alteon etc) ? If the answer is yes and it's configured for cookie rewrite (based on ip) , then this is exactly the reason why the session are shared
We had the same problem while configured with this kind of configuration Arthur ----- Original Message ----- From: "Roland Carlsson" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Wednesday, August 14, 2002 11:35 AM Subject: Re: Session and IP > Thanks for your answer. > > We are not using url-encoding, only cookies. > > Is it possible that a proxy can catch the page and fool the cookie system? > We have not set any commands to proxys but the default that tomcat uses? > > Thanks > Roland Carlsson > > > ----- Original Message ----- > From: "Andreas Mohrig" <[EMAIL PROTECTED]> > To: "'Tomcat Users List'" <[EMAIL PROTECTED]> > Sent: Wednesday, August 14, 2002 11:31 AM > Subject: RE: Session and IP > > > > Afaik tomcat uses either cookies or url-encoding to get the session-id > from > > the users requesting a resource, which has nothing to do with the ip > > address. The only circumstances I could imagine therefore are two > differente > > browsers having installed the same session-cookie (which is quite unlikely > > and would require the users to actively copy those cookie from one machine > > to the other) or (which is much more likely) two users using the same > > encoded urls. This might happen if one user sends another the complete(!) > > link containing the session id by copying it out of the address-field of > his > > browser, e.g.: > > > > > http://www.yourserver.com/yourcontext/someresource.jsp;jsessionid=C21CC5E4A5 > > 890818B3E56426925E86F9 > > > > This would let the other user share the same session as long as it has not > > timed out. > > > > best regards > > > > Andreas Mohrig > > > > -----Original Message----- > > From: Roland Carlsson [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, August 14, 2002 11:20 AM > > To: Tomcat Users List > > Subject: Session and IP > > > > > > Hi! > > I'm trying to trace a strange behavior from a couple of error reports from > > the users of a system. > > > > The problem is that they seems to share the same session on our server. > > Different computers, on different location, sharing a public ip-number > > (corporate intranet through VPN to a single internet-node). > > > > The company has IE4 as their default browser. > > > > My questions are: > > > > Is it possible that tomcat let those users share the same session since > they > > share the same public IP-number? Under what circumstances would that > > behavior occur? > > > > Thanks in advance > > Roland Carlsson > > > > > > -- > > To unsubscribe, e-mail: > > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > > -- > > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
