DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13516>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13516 Servlet Specification Incompatibility - Sessions are not correctly scoped according to the Servlet Specification Summary: Servlet Specification Incompatibility - Sessions are not correctly scoped according to the Servlet Specification Product: Tomcat 4 Version: 4.0.4 Final Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Critical Priority: Other Component: Servlet & JSP API AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Section SRV.7.3 of the Servlet spec states the following: "..if a servlet uses the RequestDispatcher to call a servlet in another web application, any sessions created for and visible to the callee servlet must be different from those visible to the calling servlet." Both Tomcat 4.0.4 and 4.1.9 do not adhere to this requirement. When an include () is performed across web applications, the session is the same. An attribute placed in the session of the callee servlet is visible to the calling servlet when the servlets are in seperate web applications. Not only is this not compliant with the specification, but it's also a security issue. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>