Hi list! I am trying to setup a tomcat cluster with 2 members (2 different machines ). On each machine there is an apache & tomcat connected to it via mod_jk For whatever reason the session stickiness does not works well - this is the reason for cluster. As much as i understand setting cluster means ,that each tomcat will try to discover other instances (in my case only one) using multicast. Now,i don't really understand much about multicasting but it seems that if there is no firewall blocking multicasting that does not come from my tomcat cluster machines, then anybody will be able to pretend being a tomcat and just join the cluster - and just read my user's session data. Again i am not a network guru.But it seems pretty dangerous . How are you dealing with this? Is this really a security risk? Tnaks Evgeny