Caldarale, Charles R wrote:
From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: TCP connections and HTTP sessions
Some proxies/firewalls etc.. may even apparently use a single TCP
connection to the back-end server, to serve requests from different
clients.
I've never seen that, and it would be a serious breach of security, making
sessions, cookies, and other such mechanisms useless. Proxies will almost
always use the same IP address, but will separate clients by port number.
I did not say that this was recommended practice, nor even that it was
not a bug. But I am positive that I saw it mentioned in the last couple
of months as something that happens. I believe it might have been in
some discussion relative to HTTP NTLM authentication, and indeed
problems related to that fact (and hence security).
To nitpick, I don't think it would influence cookies per se. Cookies
work fine even when the connection is reset and re-established, and do
not to my knowledge relate to ports (nor even in fact to IP addresses,
only to hostnames and paths).
And I am wondering how it could influence "sessions", though I guess it
depends a lot on the definition of what is a session.
Anyway, the point was that the OP seemed to confuse the idea of
"application session" (in the sense of some application context saved at
the server side between requests), and the existence of a persistent TCP
connection and/or dedicated thread/child at the server side.
In my understanding (and I believe Chris's), there is no such link.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
