tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Turner <tomcat-u...@johnturner.com>
Subject Re: Session tracking over redirections with multiple domain names
Date Thu, 15 May 2003 19:25:22 GMT

No apologies necessary, I wasn't clear what you meant.

John

On Thu, 15 May 2003 14:15:51 -0500, G. Wade Johnson 
<wade.johnson@abbnm.com> wrote:

> I actually was not talking about what Microsoft calls third-party
> cookies. I was answering the original statement that new browsers don't
> allow cookies to go to a domain different than the one they were set
> in. Barring browser bugs, this has never been legal.
>
> That issue does not have any relation to cookies being set by resources
> in different domains that are referenced by your page (frames, images,
> applets, etc.) As you say, Microsoft's interpretation of this concept
> has caused loads of grief to application developers all over when IE 6
> came out.
>
> If I misunderstood the original statement, I apologize for any
> confusion I may have caused.
>
> G. Wade
>
> John Turner wrote:
>>
>> Not using third-party cookies breaks some web-based applications.
>>
>> For example, a solution that incorporates services on a Microsoft 
>> platform
>> as well as a Linux platform.  Each server has to have its own FQDN, but 
>> the
>> user wants to see the content from both in one browser window (not two)
>> with a consistent interface.  Enter the frameset, where one frame 
>> contains
>> content from serverA.domain.com, and another frame contains content from
>> serverB.domain.com.
>>
>> Granted, in general purpose web browsing there is no need to do this or
>> even allow it by default, but in an enterprise solution where you are
>> reselling a service or application to a client, the potential for 
>> needing
>> third-party cookies can be pretty large.
>>
>> John
>>
>> On Thu, 15 May 2003 13:53:22 -0500, G. Wade Johnson
>> <wade.johnson@abbnm.com> wrote:
>>
>> > Actually, browsers never were supposed to allow cookies to go to
>> > different domains. It requires a small amount of effort to allow the
>> > cookie to go to multiple servers in the same domain. (Adding the 
>> domain
>> > attribute to the cookie when it is set.)
>> >
>> > G. Wade
>> >
>> > John Corrigan wrote:
>> >>
>> >> Sounds like a security setting in the browswer.  Newer browsers don't
>> >> allow
>> >> cooking to go to different domains than they were set in unless the
>> >> security
>> >> setting has been changed by the user AFAIK.
>> >>
>> >> -----Original Message-----
>> >> From: Gerrit Einhoff [mailto:gerein@gmx.de]
>> >> Sent: Thursday, May 15, 2003 10:26 AM
>> >> To: tomcat-user@jakarta.apache.org
>> >> Subject: Session tracking over redirections with multiple domain 
>> names
>> >>
>> >> Hi.
>> >>
>> >> I got the following web application setup with Tomcat 4.0.3 behind
>> >> Apache
>> >> 1.3:
>> >>
>> >> JSP1 with a <form>
>> >> --POST--> servlet
>> >> --relative-redirect(response.sendRedirect())--> JSP2
>> >>
>> >> A session is supposed to be held over all three requests (JSP, 
>> servlet,
>> >> JSP).
>> >> The problem is that my host has multiple domain-names, but Tomcat 
>> sends
>> >> the
>> >> redirect to the domain name that is configured in the <host>-tag in
>> >> server.xml. This is no problem with URL-rewriting but looses the 
>> session
>> >> for
>> >> JSP2 if cookies are used.
>> >>
>> >> Example:
>> >>
>> >> <host name="domain1.com">
>> >> domain1.com and domain2.com both point to the same virtual server in
>> >> apache.
>> >>
>> >> browse to: http://domain2.com/JSP1
>> >> submit form
>> >> --> request: http://domain2.com/servlet
>> >> servlet uses response.sendRedirect("JSP2");
>> >> Tomcat sends:
>> >> --> redirect: http://domain1.com/JSP2
>> >>
>> >> Now since the browser registered the cookie for domain2.com, it does 
>> not
>> >> send
>> >> it back for the JSP2 request. Therefore JSP2 requests a new cookie 
>> and
>> >> looses
>> >> the old session.
>> >>
>> >> Is there a way to tell Tomcat to use the same domain for redirect 
>> that
>> >> the
>> >> request used? Is there another way to avoid this problem?
>> >>
>> >> I already experimented with the <Alias> field in <Host>, but
I don't
>> >> really
>> >> understand what it's good for... Can anybody explain?
>> >>
>> >> Thanks a lot, Gerrit
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> >> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> >> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>> >
>> >
>>
>> --
>> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message