tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Tomcat security directive for preserving context and sessionids?
Date Mon, 24 Jan 2000 16:12:25 GMT
Jim Metcalf wrote:

> > We recently changed over to Apache/Tomcat from Apache/JServ.
> >
> > Question: When using Apache/JServ the HttpSessionContext id for different sessions
is the same. This is good and is what is expected. Sessionids for that context can be retrieved
and are enumerated. All is well.
> >

Apache JServ complies with the 2.0 version of the servlet API in this regard.

> > Apache/Tomcat however...ack! The HttpSessionContext id is not preserved;  that is,
there is no common context in the server that can be retrieved so that sessionids for that
context can be enumerated.
> >

What you are seeing is the fact that HttpSessionContext was deprecated in the 2.1 (and later)
versions of the servlet API.  This was done for good security-related reasons, and there is
no replacement functionality.  If you
want to be able to enumerate sessions, you're going to have to manufacture some sort of capability
internal to your application, outside the functionality provided by the servlet engine.

> > Is there a Tomcat security directive I'm missing here that might be applied? I've
looked through the faq's, the forums, the archived elements of this listserv,   etc...and
cannot find a reference to this issue. Thank you.

Nope ... but I would suggest you grab a copy of the current servlet spec <>.
 Besides the fact that HttpSessionContext is no more, you'll find many other changes that
you have
to be aware of when utilizing Tomcat or any other servlet engine that implements the 2.2 spec
-- the other common big impact is the fact that ServletContext.getServlet() is also deprecated
and now returns null.

> >
> > Jim Metcalf

Craig McClanahan

View raw message