tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Garrett Smith <javadevm...@yahoo.com>
Subject Re: Session with subdomain alias [solved] --discussion continues
Date Mon, 02 Dec 2002 05:06:38 GMT
I considered using mod rewrite. There is a problem there. If Apache generates a
redirect from dhtmlkitchen.com to www.dhtmlkitchen.com (no idea why this
happens), the rewrite will send back the session cookie. 

Consider the browser will resolve href="/path/to/resource.jsp" to 
"http://www.dhtmlkitchen.com/path/to/resource.ext." Requesting this resource
(e.g. click the link), and the browser won't send the session cookie, which has
domain="dhtmlkitchen.com" . Am I wrong?

It is not feasable to rewrite TC to violate the spec. Thanks for filling me in
on that. 

One solution (from my host) was to route all req. directly to tomcat. Using
this approach, Apache HTTP doesn't redirect to www. subdomain (don't know why
it did in the first place).

Now I wonder: Could one use an HttpSessionActivationListener implementation and
set the session cookie's domain in the sessionDidActivate handler? I don't want
to do this, but I wonder if it's possible. If so, would it be possible to
selcectively add subdomains such as www.hostname.com, but not xyz.hostname.com?


Garrett




--- "Craig R. McClanahan" <craigmcc@apache.org> wrote:
> 
> 
> On Sun, 1 Dec 2002, Garrett Smith wrote:
> 
> > Date: Sun, 1 Dec 2002 07:41:10 -0800 (PST)
> > From: Garrett Smith <javadevmac2@yahoo.com>
> > Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> > To: tomcat-user@jakarta.apache.org
> > Subject: Session cookie not recognized in www. subdomain alias
> >
> > Hello Tomcat Users,
> >
> >   I am having a problem with access to the www. alias of my site having a
> > different session cookie.
> >
> > What is the proper way to make tomcat use ".dhtmlkitchen.com" for my
> session
> > cookie?
> >
> > To see what I mean, go to http://dhtmlkitchen.com/ and then to
> > http://www.dhtmlkitchen.com/ . You can see the obvious change by the colors
> > (which are session-based).
> >
> > Proof:Javascript:alert(document.cookie)
> >
> > You'll see a different JSESSIONID cookie for www. alias "subdomain."
> >
> > I ask again: What is the proper way to make tomcat use ".dhtmlkitchen.com"
> for
> > my session cookie?
> >
> 
> You'll have to modify your own copy of Tomcat to do this if you want it,
> because it would violate the servlet specification (as well as being a
> potential security hole).
> 
> Craig
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
> 


=====
http://dhtmlkitchen.com/
JSP | Servlets | DHTML 

Garrett Needs A Job

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message