tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "G. Wade Johnson" <wade.john...@abbnm.com>
Subject Re: Session tracking over redirections with multiple domain names
Date Thu, 15 May 2003 19:15:51 GMT
I actually was not talking about what Microsoft calls third-party
cookies. I was answering the original statement that new browsers don't
allow cookies to go to a domain different than the one they were set
in. Barring browser bugs, this has never been legal.

That issue does not have any relation to cookies being set by resources
in different domains that are referenced by your page (frames, images,
applets, etc.) As you say, Microsoft's interpretation of this concept
has caused loads of grief to application developers all over when IE 6
came out.

If I misunderstood the original statement, I apologize for any
confusion I may have caused.

G. Wade

John Turner wrote:
> 
> Not using third-party cookies breaks some web-based applications.
> 
> For example, a solution that incorporates services on a Microsoft platform
> as well as a Linux platform.  Each server has to have its own FQDN, but the
> user wants to see the content from both in one browser window (not two)
> with a consistent interface.  Enter the frameset, where one frame contains
> content from serverA.domain.com, and another frame contains content from
> serverB.domain.com.
> 
> Granted, in general purpose web browsing there is no need to do this or
> even allow it by default, but in an enterprise solution where you are
> reselling a service or application to a client, the potential for needing
> third-party cookies can be pretty large.
> 
> John
> 
> On Thu, 15 May 2003 13:53:22 -0500, G. Wade Johnson
> <wade.johnson@abbnm.com> wrote:
> 
> > Actually, browsers never were supposed to allow cookies to go to
> > different domains. It requires a small amount of effort to allow the
> > cookie to go to multiple servers in the same domain. (Adding the domain
> > attribute to the cookie when it is set.)
> >
> > G. Wade
> >
> > John Corrigan wrote:
> >>
> >> Sounds like a security setting in the browswer.  Newer browsers don't
> >> allow
> >> cooking to go to different domains than they were set in unless the
> >> security
> >> setting has been changed by the user AFAIK.
> >>
> >> -----Original Message-----
> >> From: Gerrit Einhoff [mailto:gerein@gmx.de]
> >> Sent: Thursday, May 15, 2003 10:26 AM
> >> To: tomcat-user@jakarta.apache.org
> >> Subject: Session tracking over redirections with multiple domain names
> >>
> >> Hi.
> >>
> >> I got the following web application setup with Tomcat 4.0.3 behind
> >> Apache
> >> 1.3:
> >>
> >> JSP1 with a <form>
> >> --POST--> servlet
> >> --relative-redirect(response.sendRedirect())--> JSP2
> >>
> >> A session is supposed to be held over all three requests (JSP, servlet,
> >> JSP).
> >> The problem is that my host has multiple domain-names, but Tomcat sends
> >> the
> >> redirect to the domain name that is configured in the <host>-tag in
> >> server.xml. This is no problem with URL-rewriting but looses the session
> >> for
> >> JSP2 if cookies are used.
> >>
> >> Example:
> >>
> >> <host name="domain1.com">
> >> domain1.com and domain2.com both point to the same virtual server in
> >> apache.
> >>
> >> browse to: http://domain2.com/JSP1
> >> submit form
> >> --> request: http://domain2.com/servlet
> >> servlet uses response.sendRedirect("JSP2");
> >> Tomcat sends:
> >> --> redirect: http://domain1.com/JSP2
> >>
> >> Now since the browser registered the cookie for domain2.com, it does not
> >> send
> >> it back for the JSP2 request. Therefore JSP2 requests a new cookie and
> >> looses
> >> the old session.
> >>
> >> Is there a way to tell Tomcat to use the same domain for redirect that
> >> the
> >> request used? Is there another way to avoid this problem?
> >>
> >> I already experimented with the <Alias> field in <Host>, but I don't
> >> really
> >> understand what it's good for... Can anybody explain?
> >>
> >> Thanks a lot, Gerrit
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> 
> --
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message