Hi all, I seem to have found a possible security problem with ISA2000. Our setup includes a route to an upstream ISA2000 to our head office and the last route to a DSL Connection. If we use the default route rule caching options everything works fine, however if we use the cache option 'any version, of the object' instead of default option 'A valid version of the object' we find that users can inadvertently hijack what seems to be another users cookie/web session. To explain this a bit clearer, if user 1 logs onto his personal webmail or online trading account and maybe disconnects rather than logging off?. User 2 logs onto there own personal webmail or trading site using their own logon details from the same website (even on a separate computer), it will display users 1 emails and personal information as if you were actually logged on as user 1, any ability to change and delete settings seems to only affect your account, but you can read and download anything from user 1. Anyone explain this? Regards, Chris Hatton Information Systems Engineer Safe Air Ltd Phone: 03 5727793 Mobile: 021 544 570 Email: chris.hatton@xxxxxxxxxxxxx ____________________________________________________________________ CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify Safe Air Ltd immediately. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Safe Air. _____________________________________________________________________ For more information on the Safe Air Group, visit us online at http://www.safeair.co.nz/ _____________________________________________________________________