tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "G. Wade Johnson" <wade.john...@abbnm.com>
Subject Re: Session tracking over redirections with multiple domain names
Date Thu, 15 May 2003 18:53:22 GMT
Actually, browsers never were supposed to allow cookies to go to
different domains. It requires a small amount of effort to allow the
cookie to go to multiple servers in the same domain. (Adding the domain
attribute to the cookie when it is set.)

G. Wade

John Corrigan wrote:
> 
> Sounds like a security setting in the browswer.  Newer browsers don't allow
> cooking to go to different domains than they were set in unless the security
> setting has been changed by the user AFAIK.
> 
> -----Original Message-----
> From: Gerrit Einhoff [mailto:gerein@gmx.de]
> Sent: Thursday, May 15, 2003 10:26 AM
> To: tomcat-user@jakarta.apache.org
> Subject: Session tracking over redirections with multiple domain names
> 
> Hi.
> 
> I got the following web application setup with Tomcat 4.0.3 behind Apache
> 1.3:
> 
> JSP1 with a <form>
> --POST--> servlet
> --relative-redirect(response.sendRedirect())--> JSP2
> 
> A session is supposed to be held over all three requests (JSP, servlet,
> JSP).
> The problem is that my host has multiple domain-names, but Tomcat sends the
> redirect to the domain name that is configured in the <host>-tag in
> server.xml. This is no problem with URL-rewriting but looses the session for
> JSP2 if cookies are used.
> 
> Example:
> 
> <host name="domain1.com">
> domain1.com and domain2.com both point to the same virtual server in apache.
> 
> browse to: http://domain2.com/JSP1
> submit form
> --> request: http://domain2.com/servlet
> servlet uses response.sendRedirect("JSP2");
> Tomcat sends:
> --> redirect: http://domain1.com/JSP2
> 
> Now since the browser registered the cookie for domain2.com, it does not
> send
> it back for the JSP2 request. Therefore JSP2 requests a new cookie and
> looses
> the old session.
> 
> Is there a way to tell Tomcat to use the same domain for redirect that the
> request used? Is there another way to avoid this problem?
> 
> I already experimented with the <Alias> field in <Host>, but I don't really
> understand what it's good for... Can anybody explain?
> 
> Thanks a lot, Gerrit
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message