Brian, It was reported to me in October, then again today. I log the sessionId when a user logs into my app, and today I could see that the sessionId hGbGpyqSV2CPfJKGZi0KGg**.node1 was given to one user at 1:49PM and then to another user at 4:43PM. The first user complained that at 4:45PM she was seeing "Someone else's data". It is disturbing that the duplicate Id came from the same cluster node. I could probably run a query against the access table to see how often it is happening if that would help. However, it appears that the fix you are recommending be made in 4.2.3 already exists in another branch. After which version of JBoss AS is that fix applied? I also read that this can happen when sessionIds are recycled, and when the session cookie is being used in the URL (such as a bookmarked page with jsessionid) that JBoss will use the sessionId passed in without creating a new one. http://kbase.redhat.com/faq/docs/DOC-17273 Is that true and will setting this value in the Connector help? emptySessionPath=false Thank you for your help. Upgrading to a newer version of JBoss is acceptable if needed, but a short term fix could help buy me a little more time to manage the upgrade. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4270112#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...