Timothy, >> I still don't understand how JSF knows which session you are requesting. >> I'm sorry that I don't know a thing about JSF. > > That's OK, 'cause I'm not using JSF ;-)
Oh, sorry. I thought you had indicated that fact. IF you're using straight-up servlet stuff, then I can certainly help. > I'm just using Tomcat, and going on the assumption that when a session > is created for a particular user, it remains for that user, at that > location, until it times out or is otherwise destroyed/invalidated. That is a correct assumption, as long as you are using HttpServletRequest.getSession to get your sessions. > If this assumption is incorrect....well, I'll clearly have to find > *some* other way of identifying users. Cookies, maybe? Tomcat uses cookies (or optionally, re-written URLs) to track users and link them up with their sessions. If you are having session crossover, it is likely to be due to one of the following: 1. Incorrect or inappropriate use of HttpServletRequest.getSession method, possibly including the use of a static method in the servlet or a non-standard way of getting the session. 2. Incorrect use of URL rewriting to track the user's session id. 3. Your own session implementation which has bugs. There aren't too many good reasons to use your own session implementation. 4. Inappropriate storing of the session in another place, such as a VM-global or server-global store, and then incorrectly retrieving said session. -chris
signature.asc
Description: OpenPGP digital signature
