[may be a duplicate--I had problems posting the original] My web app uses a web app server which does not persist HttpSessions for requests over multiple IP addresses--the webserver uses cookies to retrieve the session id but it validates the incoming IP to ensure it matches the address that originated the session. This is obstensibly done to prohibit session spoofing--if I were snooping somebody else's network and retrieved their cookies, I could get in on their session. For most clients this is fine, since each request for a particular browser session will originate from a single machine (either their browser machine or a single proxy). However, one of app's clients is going out through a network of web proxies for which subsequent requests to the app (even from the same browser) come in to us from different IP addresses. A few questions about this: a) Do most web app servers perform this IP validation by default (Apache/Tomcat, Weblogic, etc)? The ones that do, can it be switched off? b) Is my web app server vendor correct in not having servlet sessions span incoming IP addresses? Is it a valid security concern? ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
