tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Losing cookie if hostname different, under apache
Date Thu, 10 Aug 2000 17:07:22 GMT
Rachel Greenham wrote:

> It's an odd one:

It becomes less odd when you understand what is going on ... see below.

> It would appear that, under Apache, if you change the hostname by which you
> access a web server, even if that hostname resolves to the same actual host,
> Tomcat can't pick up the cookie.

Cookies are matched, in the client browser, by the domain (or
domain+host) name
that is specified.  Therefore, when you change hostnames, it is the
that does not know the two names are referring to the same host.  Tomcat
nothing to do with this.

> ie: As I'm on the same subnet, I start with http://myhost/ but as I progress
> through the site a redirect or something including just me typing a URL
> directly, causing a switch to using the FQDN eg:
> http://myhost.mydomain.etc/, the switch causes Tomcat to mislay the cookie
> or session object.

It's not mislaid -- "myhost" and "myhost.mydomain.etc" are not the same
so they are considered (again, by the browser not the server) to be two
different hosts.  Therefore, it only sends the cookie back to the
hostname that
sent it.  Use the same name consistently throughout your app.

You should *always* use a consistent host name throughout your web
applications.  The easiest way to achieve this goal is to use relative
URLs for
all of your hyperlinks.  When the client receives a relative URL, it
automatically use the host name and address of the page containing that
link, so
the host name will always be the same.

> But this *doesn't* happen when Tomcat is used in standalone mode - ie: if I
> access the same site on port 8080 rather than port 80, and again switch from
> http://myhost/ to http://myhost.mydomain.etc/ - the cookie/session object
> remains accessible regardless of changes in the hostname the client makes.

Actually, that sounds like a bug.  It should not be accessible.

> The problem only occurs when the site is used through Apache, so presumably
> it's a problem in Apache and/or the JServ connector. I tried uncommenting
> the ServerName directive in httpd.conf so it explicitly specifies the host's
> FQDN but it made no difference. Any ideas anyone?
> I'm not even sure I should be considering it a bug, as this might be a
> necessary thing to allow virtual hosting to work in Apache.
> FWIW: Apache 1.3.12, Tomcat 3.1 (including built from Tomcat
> 3.1 sources), running on Linux and Sun JDK1.3 beta.
> --
> Rachel

For further information on how cookies are supposed to work, see the
standard for them:  RFC 2109.  Among other places, you can find the RFCs
one of the search engines at <>.

Craig McClanahan

View raw message