YS proposed a fix which will specifically fix the ThreadCleaner http://mail-archives.apache.org/mod_mbox/tomcat-users/200306.mbox/[EMAIL PROTECTED] HTH, Martin -- ********************************************************************* This email message and any files transmitted with it contain confidential information intended only for the person(s) to whom this email message is addressed. If you have received this email message in error, please notify the sender immediately by telephone or email and destroy the original message without making a copy. Thank you.
----- Original Message ----- From: "Peter Crowther" <[EMAIL PROTECTED]> To: "Tomcat Users List" <users@tomcat.apache.org> Sent: Friday, July 21, 2006 10:37 AM Subject: RE: getSession() thread-safe? User A can see user B's account > From: Christopher Schultz [mailto:[EMAIL PROTECTED] > Dave, > > > It is very strange. I do not understand how a User object in Session > > A gets into Session B. It seems that after a session is expired or > > invalidated, that session is attached to another user's request. > > I think what's going on is that you have a global session, instead of > individual sessions. User A is not seeing User B's session: > everyone is > seeing the /same/ session. I'm going to take a different guess: - Tomcat reuses session objects rather than allocating a new one each time; - You're seeing an artifact of this re-use: an expired session object has been re-used for a new session. - Peter --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]