Thursday, July 18, 2002 02:23 AM
I don't think that what you are trying to do is a good way to do things. May be that's why tomcat won't let you do so.
What you are doing there is use the session ID to authentify your user on the second (third, ...) connection to your server as long as the reconnection is done before the timeout (many long minutes).
Because of this you make the server very week because anyone can get authentified with knowing the only sessionId.
I think that you should use your own way of keeping semipersistante data from the session, with easy access as soon as the session is established and still use full authentification process to reauthentifiate your client.