If Resin does not implement it itself, implementing a filter that stores the IP in the session and checks on each request before passing the request along should not be difficult. I don't know if Resin already provides such a feature.
S! D. S'està citant Rafael Escolar | Bookassist <rafael.esco...@bookassist.com>: > Is there a way to force session to invalidate or not to be recognized > if the client IP changes? This is a PCI requirement so that if a > third obtains a valid session ID they cannot use it to re-establish > the original session with the server. > > Based on tests I have run using resin 3.1.8, the default configuration > is seems that the session is maintained whenever the JSESSIONID cookie > contains a valid session id. In particular, I established a session > with the resin3.1 server, then changed my client IP, then reconnected > to the server and all session information was maintained. > > Thanks in advance. > Rafa. ---------------------------------------------------------------- _______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest