On 3/28/2018 5:20 PM, Alex O'Ree wrote:
Does tomcat do any validation on session id's based on up addresses? I'm thinking that if some one intercepts the session token and tries to use it from another ip address, then it's feasible to detect this and invalidate the session.
If you're using SSL, I don't think intercepting the session ID would be possible.
-- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com