tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Kushner" <JKush...@npr.org>
Subject RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
Date Mon, 24 Nov 2008 19:40:08 GMT
I will forward your response about upgrading tomcat to the appropriate team, however we are
only using tomcat internally so I do not believe it's a major concern. In regards to the current
issue, I'm at lost on the appropriate measures to take. Here's my original email which was
sent to the system administrator. Maybe you can take a gander at it and help me understand
a better approach to take without modifying the codebase:

--- START ---
I'm currently working on a Seamus Issue which disallows the user from operating on separate
session namespaces within the same browser instance. For example, when a user instantiates
a new tab and loads a separate story, the second story will overwrite the first since we have
no measure to separate these separate tabular "sessions". This effect (untested on my end)
should cascade from the original parent to the last child instance, being that each load will
just overwrite the current data container. There are a couple different methods to handle
this; however the easiest approach would be to modify the tomcat configuration to append the
JSESSION Cookie Id to the URL String. By doing this, we could then create a separate namespace
for each distinct tab-load, and essentially delegate out the data to each specific session
namespace. The downside to this is that because it's a full system change, it will most likely
require a full regression test. 

We are seeking alternate approaches within the code-base, however if this approach seems manageable,
it seems to be the most feasible method. What are your feelings on this?
--- END ---

Thanks for the help.

- Jonathan

-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com] 
Sent: Monday, November 24, 2008 2:14 PM
To: Tomcat Users List
Subject: RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append

> From: Jonathan Kushner [mailto:JKushner@npr.org]
> Subject: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append

If you're really running on 5.5.2, you need to move up - ASAP.  Lots and lots of fixes, including
security-related ones, have gone in since that version was released over four years ago.

> I'm working with a current session identity issue between
> separate browser instances, and have decided that the most
> plausible solution is to reconfigure tomcat to auto-append
> the JSESSION ID at the end of each URL.

You will at least need to disable cookies:
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html%20Attributes

Beyond that, I'm not aware of any automatic way of appending JSESSIONID; your webapp has to
participate.  Look at this message for one such technique:
http://marc.info/?l=tomcat-user&m=117583468505179&w=2

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message