Typically this kind of errors doesn't mean that the users access the same session but the jsp's/servlets you use store information in place that is not local to the session. (e.g.: class or instance variables)
To verify that the users have different sessions, have a look at the session id. If they differ it's probably an application problem. > -----Ursprüngliche Nachricht----- > Von: Paul Rubenis [mailto:[EMAIL PROTECTED]] > Gesendet: Donnerstag, 15. November 2001 17:32 > An: Tomcat Users List > Betreff: Sessions being shared... (TC 3.2.3) > > > I have some strangeness happening when using Tomcat > 3.2.3, Apache and > an EJB Server. Though it appears to be a session issue. The > application is using SSL via Apache. > > Basically people log into the application via a jsp, > the jsp creates a > session for that person and stuffs information about them > into it. What > is happening is that somehow sessions are being shared > between people. > So person A logs in just fine, does some stuff. Person B > then logs in, > gets the session id for person A and therefore can see > everything person > A can in the application. Obviously this is bad. What > perplexes me is > how anyone could EVER get another persons sessionid. > > Here are the specs for the environment: > > Solaris 7 > java 1.3.1 > jakarta 3.2.3 > apache-ssl 1.3.19 > > Thanks for any insight people might have on this. > > -- > +-------------------------------------- mailto:[EMAIL PROTECTED] ----+ > | Paul M Rubenis - System Administrator | > | Phone: (612) 624-8337 | > | Fax: (612) 625-6853 > | > +-------------------------------------------------------------------+ > | Any connection between your reality and mine is purely | > | coincidental. | > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>