tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Stavrinides <p.stavrini...@albourne.com>
Subject Re: Using a custom method of session-id propagation
Date Tue, 04 Mar 2008 15:47:47 GMT
The problem is that the server needs to be the one generating the 
session id for a number of reasons, i.e.: ensuring it is always unique 
and set correctly, and its best left that way... so I think you're 
walking down a dark alley and its not likely that the API would ever 
allow this as it opens up untold security holes.

Furthermore, without using a URL or cookies to transport the id how do 
you propose that the server should communicate it to an agent? ...not 
sure if XML over HTTP / SOAP could potentially provide a solution, but 
then again you have similar problems with proxies and firewalls etc. in 
any event.

Good luck,
Peter

Tom van Wietmarschen wrote:
> L.S.,
>
> I was wondering if it is possible to write a custom method of
> propagating the session ID between HTTP requests. Specifically: we want
> to store the session id in a X-ourcompanyname-sessionid header (we use a
> custom http client so we can modify that to send the sessionid back in a
> header).
>
> The reason for this is that we have to deal with clients that are using
> mobile data connections, and mobile phone operators sometimes feel the
> need to mess with a clients cookies and sessions as well as doing other
> kinds of nasty things in their proxies. Non-standard headers are usually
> left alone.
>
> I've been looking at a way to do this but I can't find a solution,
> filters seem to be too late in the chain: a request object is already
> created and there is no way to even instantiate a session object from a
> self-supplied session-id let alone replace the current session object in
> the HttpRequest.
>
> Does anyone known if there is a way to write my own handlers for
> retrieving and setting the current sessionid and have tomcat use that
> instead of looking at the requesturl or cookies ?
>
> Sincerely,
>    Tom van Wietmarschen
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message