Using a 2 node cluster, jboss 4.0.3. In some cases we have to put the jsessionid parameter on the URL. In those cases I can send that URL to another person and they can hijack my session. Is this how jboss is supposed to behave ?