We are experiencing a problem with our online java application (servlets & jsps using WebSphere app. server). When a user logs in with NS and has his data displayed in his browser, it is possible for another user to log in and end up with the original user’s session id. This normally happens when clicking on a link that runs a second servlet. The problem manifests itself immediately if tested on the same machine – however we have not been able to reproduce from machines with different ip addresses. BUT, we know it does happen because a client called in and described the problem and gave us info from the 2nd users account. This does not happen in IE. Should the session ID be set in the browser window so that even if the user opened a new window and logged in again he would never get the original sessionid? If so, how is this done?
MK