I guess changing the cookie name can help here: org.apache.catalina.SESSION_COOKIE_NAME See: http://tomcat.apache.org/tomcat-6.0-doc/config/systemprops.html Note that this is per jvm setting ,so all the apps on the given server will get this cookie name . Which in turn is probably NOT a problem as Christopher have already pointed out. Evgeny
On Wed, Feb 24, 2010 at 5:28 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Ron, > > On 2/24/2010 1:50 AM, Ron McNulty wrote: > > Check what else they have open when they access your application. > > There could be another J2EE application that does not scope it's > > session cookies correctly. We have had ongoing problems with SAP > > portal servers scoping session cookies across our whole domain, > > rather than scoping to the server they are running on. When this > > happens, you get a session that does not belong to you. Ask them to > > browse their cookies and tell you the scope (there are many Firefox > > plugins that will make this easy). > > > > Personally I think it is a shortcoming of the J2EE Servlet > > specification - all session cookies are named JSESSIONID. This is not > > honoured by some IBM products, but Tomcat adheres faithfully to the > > spec. > > Tomcat's implementation can handle multiple JSESSIONID cookies: if > multiple cookies are present, it will loop-over them to see if any are > valid. Tomcat will take the first valid JSESSIONID cookie and ignore the > others. > > Unless there are session id collisions between webapps, this should not > be the problem (instead, what the OP would observe is users masquerading > as other users: oops). > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkuFRakACgkQ9CaO5/Lv0PCnhgCgsbtHGVnnmOmKH9TojubDuAv/ > 9wIAoL9Nf46c8xfyWSORm9enuzdb4sVm > =aG5M > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
