HttpSession mixed using ISA Server 2006 as proxy

Hi guys,

I need your help for this serious problem. I have a java web application using spring-mvc and spring-security deployed in tomcat 6 that works great in normal situations.

I get a client that use ISA Server 2006 as a proxy server and the people that use my app through that proxy experiment some problems with their HttpSessions.

Example:
1. Employee A is logged in the application.
2. Employee B is logged in the application.
3. Employee A clicks a button that list his activities and my app show the activities of Employee A.
4. Employee B clicks a button that list his activities and my app show the activities of Employee A too (that is wrong).

I think It is like the ISA Server was mixing the employee sessions logged in the system, because the session is a cookie (file) and the proxy is caching it exchanging the employee information.

The username showing in my app change too, but when i refresh the page with F5 in the browser or use https the problem is solved.

I test putting html/jsp directives for proxy-nocache but it neither works.

Can anyone knows the reason for that?

Zero

I won't say that it can't work but I have never seen it work.

The ISA is not correctly handling session data .

A configuration that I know works would be to use an Apache web server as a front end and use sticky sessions.

Furthermore ISA server can do many other things which could easily be causing problems depending on if your client has the appliance version or the full server version, what feature they have activated etc .

Also its worth noting that server is old . The REPLACEMENT for that server ( MS TMG 2010 ) came out in November 2009.