-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ron,
On 2/24/2010 1:50 AM, Ron McNulty wrote: > Check what else they have open when they access your application. > There could be another J2EE application that does not scope it's > session cookies correctly. We have had ongoing problems with SAP > portal servers scoping session cookies across our whole domain, > rather than scoping to the server they are running on. When this > happens, you get a session that does not belong to you. Ask them to > browse their cookies and tell you the scope (there are many Firefox > plugins that will make this easy). > > Personally I think it is a shortcoming of the J2EE Servlet > specification - all session cookies are named JSESSIONID. This is not > honoured by some IBM products, but Tomcat adheres faithfully to the > spec. Tomcat's implementation can handle multiple JSESSIONID cookies: if multiple cookies are present, it will loop-over them to see if any are valid. Tomcat will take the first valid JSESSIONID cookie and ignore the others. Unless there are session id collisions between webapps, this should not be the problem (instead, what the OP would observe is users masquerading as other users: oops). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuFRakACgkQ9CaO5/Lv0PCnhgCgsbtHGVnnmOmKH9TojubDuAv/ 9wIAoL9Nf46c8xfyWSORm9enuzdb4sVm =aG5M -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
