HttpSession mixed using ISA Server 2006 as proxy

[zerovirus]

Hi guys,

I need your help for this serious problem. I have a java web application using spring-mvc and spring-security deployed in tomcat 6 that works great in normal situations.

I get a client that use ISA Server 2006 as a proxy server and the people that use my app through that proxy experiment some problems with their HttpSessions.

Example:
1. Employee A is logged in the application.
2. Employee B is logged in the application.
3. Employee A clicks a button that list his activities and my app show the activities of Employee A.
4. Employee B clicks a button that list his activities and my app show the activities of Employee A too (that is wrong).

I think It is like the ISA Server was mixing the employee sessions logged in the system, because the session is a cookie (file) and the proxy is caching it exchanging the employee information.

The username showing in my app change too, but when i refresh the page with F5 in the browser or use https the problem is solved.

I test putting html/jsp directives for proxy-nocache but it neither works.

Can anyone knows the reason for that?