Thanks for the answer, then it can be when generating the session?
I use a servlet to create the session with the code:
*HttpSession session = request.getSession ();*
Then I add the attributes:
*session.setAttribute ("idUser" p_iduser);*
* session.setAttribute ("username", p_username);*
* session.setAttribute ("idrol" p_idrol);*
And redirected to the page "principal.jsp" :
*response.sendRedirect ("principal.jsp");*
On page "principal.jsp", recovery attributes for display:
*session = request.getSession (false);*
* Id_user String = (String) session.getAttribute ("idUser");*
* String username = (String) session.getAttribute ("username");*
* Idrol String = (String) session.getAttribute ("idrol");*
This is where the problem occurred, a user session captured the other user
sesion, may then this used procedure is bad?
thanks
2013/11/11 Mark Thomas <ma...@apache.org>
> On 11/11/2013 11:54, Jose Irrazabal wrote:
> > Hi All,
> >
> > I use Apache Tomcat/7.0.29 to deploy my applications, and I'm with a
> > problem of duplicated user session or something, as uncertain occurs
> when a
> > user adquire a session takes of another user and I reported 3 cases of
> this
> > type of security error.
>
> Exactly what problem do you observe?
>
> > I need your help to know how the JSESSIONID is generated because I
> suspect
> > that the error is when generated the session. Exemplo: *JSESSIONID*:
> > 5DC89FC25D2CEC391A0EC1D3F07F0941
>
> It is generated from a SecureRandom. That is not going to be the source
> of the problem you are seeing.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
