You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Paul Rubenis <pa...@tc.umn.edu> on 2001/11/15 17:32:15 UTC

Sessions being shared... (TC 3.2.3)

	I have some strangeness happening when using Tomcat 3.2.3, Apache and
an EJB Server.  Though it appears to be a session issue.  The
application is using SSL via Apache.

	Basically people log into the application via a jsp, the jsp creates a
session for that person and stuffs information about them into it.  What
is happening is that somehow sessions are being shared between people. 
So person A logs in just fine, does some stuff.  Person B then logs in,
gets the session id for person A and therefore can see everything person
A can in the application.  Obviously this is bad.  What perplexes me is
how anyone could EVER get another persons sessionid.

Here are the specs for the environment:

Solaris 7
java 1.3.1
jakarta 3.2.3
apache-ssl 1.3.19

	Thanks for any insight people might have on this.

-- 
+-------------------------------------- mailto:paulr@tc.umn.edu ----+
| Paul M Rubenis - System Administrator                             |
| Phone: (612) 624-8337                                             |
| Fax:   (612) 625-6853	                                            |
+-------------------------------------------------------------------+
| Any connection between your reality and mine is purely            |
| coincidental.                                                     |

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>