[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: Session being stolen / assigned to wrong person

[javaspack]

Incorrect. We currently have just ONE JBoss server. When we had two, we used JvmRoute. But like I said, we don't use a second server anymore because we thought that might be the problem.

The problem is that a user session can be transfered to a different user session.

Example:
1. User logs in.
2. Adds stuff to cart.
3. Goes to checkout.
4. User becomes a different user with that person's sessionId.
5. Order is logged under wrong person.

By monitoring every single request that comes to our site, we have been able to see exactly what the users are doing.

One time, while the problem was happening, I went to our website and it gave me another users sessionId. I didn't have to log in. Somehow it got me confused and assigned me their sessionId.

Since we have gone back to 4.0.3sp1, we haven't seen it. But it appears to exist in all the 4.2.x versions.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4136763#4136763

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4136763