On May 4, 2009, at 7:38 AM, Daniel Lopez wrote: > If Resin does not implement it itself, implementing a filter that > stores the IP in the session and checks on each request before passing > the request along should not be difficult. I don't know if Resin > already provides such a feature.
Resin doesn't currently have that feature, so you'd need to use a filter. There used to be ISPs that changed client IPs randomly as part of their normal operation. AOL was the biggest. If that behavior has changed so basically everyone uses a single client IP, we can make it an option. -- Scott > > > S! > D. > > S'està citant Rafael Escolar | Bookassist <rafael.esco...@bookassist.com > >: > >> Is there a way to force session to invalidate or not to be recognized >> if the client IP changes? This is a PCI requirement so that if a >> third obtains a valid session ID they cannot use it to re-establish >> the original session with the server. >> >> Based on tests I have run using resin 3.1.8, the default >> configuration >> is seems that the session is maintained whenever the JSESSIONID >> cookie >> contains a valid session id. In particular, I established a session >> with the resin3.1 server, then changed my client IP, then reconnected >> to the server and all session information was maintained. >> >> Thanks in advance. >> Rafa. > > > > ---------------------------------------------------------------- > > > > > > _______________________________________________ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest _______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest