tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Domainwide JSESSIONID cookie?
Date Tue, 22 Oct 2002 16:23:24 GMT


On Tue, 22 Oct 2002, Jan Kunzmann wrote:

> Date: Tue, 22 Oct 2002 11:49:42 +0200
> From: Jan Kunzmann <kunzmann@masterplan.de>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Subject: Re: Domainwide JSESSIONID cookie?
>
> Hi,
>
> Craig R. McClanahan wrote:
> >
> > On Mon, 21 Oct 2002, Jan Kunzmann wrote:
>  >>[...]
> >>Is there any way to force Tomcat to create a domainwide JSESSIONID
> >>cookie without any context path (just for the whole mysite.com)?
> >>
> >
> >
> > Doing this
> > would also be a security vulnerability, because it would mean exposing
> > session ids to clients of your server that are not running that webapp
> > (therefore running the risk of some malicious client hijacking the
> > session without even having to snoop the network to find a valid session
> > id).
>
> There is no "running" or "not running" my webapp. The whole site is the
> webapp, but for some reasons it is splittet in several subdomains. I
> think I need to drill into Tomcat sources for this, don't I?
>

Or use something other than sessions, managed by your own cookie.  That
way, at least, you wouldn't be stuck with a non-standard version of Tomcat
from now on.

> Jan
>

Craig


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message