tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: domain-wide session cookies?
Date Mon, 24 Mar 2003 19:44:04 GMT


On Thu, 20 Mar 2003, Aditya wrote:

> Date: Thu, 20 Mar 2003 21:40:20 -0800
> From: Aditya <aditya@grot.org>
> Reply-To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
> To: tomcat-dev@jakarta.apache.org
> Subject: domain-wide session cookies?
>
> Under Tomcat-4 it looks like the session cookie is set in:
>
>   org/apache/catalina/connector/HttpResponseBase.java
>
> and the code that sets it uses the default domain (which is equal to the
> request hostname.domain.tld) when it sets the session cookie. I need to set
> the cookie to be domain-wide, ie. ".domain.tld" however it seems silly to
> hardcode it in the above class.
>
> Before I tackle this:
>
> 0) is there a better way to do it?
>
> 1) if not, is this the right place to do it?
>
> 2) what is the best place (ie. where in server.xml) to put an option to enable
> this?
>

I personally prefer option 3 -- don't change anything.  Exposing session
id cookies to a broader audience than just the webapp that created them is
a security vulnerability.  If you need to share stuff across webapps, use
some other cookie, not the container-managed one.

> Thanks,
> Adi

Craig

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message