You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2010/07/06 12:27:41 UTC

DO NOT REPLY [Bug 40114] Session inadvertently "hijacked" by different after server restart

https://issues.apache.org/bugzilla/show_bug.cgi?id=40114

Denis A. <al...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |

--- Comment #2 from Denis A. <al...@gmail.com> 2010-07-06 06:27:37 EDT ---
This happen with:
* Tomcat 5.5.26
* Server running in VMWARE Server 2.0.2 Build 203138
* Virtual hardware version 7
* OS: Windows 2003 Server Standard french 32bits
* CPU: 1 CPU 2.597 GHz
* RAM: 4096 MB
* Java: Java 6 update 16 et Java SE Development Kit 6 Update 16
* A web application using MyFaces 1.1.5
* Persistent sessions are disabled in context.xml:

<!--  Uncomment this to disable session persistence across Tomcat restarts 
  --> 
  <Manager pathname="" /> 

This seems to happen only after a server restart.
For example an user login and has some session scoped beans from its session
and other from another old session. 

This is a serious issue as it allow to get confidential information.

Any clue on how to debug/solve this?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org