tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Turner <>
Subject Re: Session tracking over redirections with multiple domain names
Date Thu, 15 May 2003 19:00:02 GMT

Not using third-party cookies breaks some web-based applications.

For example, a solution that incorporates services on a Microsoft platform 
as well as a Linux platform.  Each server has to have its own FQDN, but the 
user wants to see the content from both in one browser window (not two) 
with a consistent interface.  Enter the frameset, where one frame contains 
content from, and another frame contains content from

Granted, in general purpose web browsing there is no need to do this or 
even allow it by default, but in an enterprise solution where you are 
reselling a service or application to a client, the potential for needing 
third-party cookies can be pretty large.


On Thu, 15 May 2003 13:53:22 -0500, G. Wade Johnson 
<> wrote:

> Actually, browsers never were supposed to allow cookies to go to
> different domains. It requires a small amount of effort to allow the
> cookie to go to multiple servers in the same domain. (Adding the domain
> attribute to the cookie when it is set.)
> G. Wade
> John Corrigan wrote:
>> Sounds like a security setting in the browswer.  Newer browsers don't 
>> allow
>> cooking to go to different domains than they were set in unless the 
>> security
>> setting has been changed by the user AFAIK.
>> -----Original Message-----
>> From: Gerrit Einhoff []
>> Sent: Thursday, May 15, 2003 10:26 AM
>> To:
>> Subject: Session tracking over redirections with multiple domain names
>> Hi.
>> I got the following web application setup with Tomcat 4.0.3 behind 
>> Apache
>> 1.3:
>> JSP1 with a <form>
>> --POST--> servlet
>> --relative-redirect(response.sendRedirect())--> JSP2
>> A session is supposed to be held over all three requests (JSP, servlet,
>> JSP).
>> The problem is that my host has multiple domain-names, but Tomcat sends 
>> the
>> redirect to the domain name that is configured in the <host>-tag in
>> server.xml. This is no problem with URL-rewriting but looses the session 
>> for
>> JSP2 if cookies are used.
>> Example:
>> <host name="">
>> and both point to the same virtual server in 
>> apache.
>> browse to:
>> submit form
>> --> request:
>> servlet uses response.sendRedirect("JSP2");
>> Tomcat sends:
>> --> redirect:
>> Now since the browser registered the cookie for, it does not
>> send
>> it back for the JSP2 request. Therefore JSP2 requests a new cookie and
>> looses
>> the old session.
>> Is there a way to tell Tomcat to use the same domain for redirect that 
>> the
>> request used? Is there another way to avoid this problem?
>> I already experimented with the <Alias> field in <Host>, but I don't

>> really
>> understand what it's good for... Can anybody explain?
>> Thanks a lot, Gerrit
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Using M2, Opera's revolutionary e-mail client:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message