tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Res: JSESSIONID Cookie handle customizing
Date Fri, 15 Oct 2010 18:44:56 GMT
Hash: SHA1


On 10/15/2010 12:19 PM, Pid wrote:
> On 15/10/2010 17:02, Juliano Daloia de Carvalho wrote:
>> I'll inject code using an agent. 
>> The thing is that I need to know for sure the message entering point on Tomcat, 
>> and the leaving point also, so I can be able to sniff if the clients message has

>> the Cookie info with JSESSIONID= or not. and before sending to check if tomcat 
>> sent set-cookie on header so I can make the change needed. 
> Why?  What does the code do that can't be done via a Servlet Filter?

You can't intercept the JSESSIONID in the following scenario:

1. User requests protected resource
2. Tomcat creates HttpSession, replies with Set-Cookie and FORM login page
3. User authenticates
4. User is forwarded/redirected to originally-requested resource from #1

Until step #4, no webapp-defined filter will run :(

This can be done with a Valve, but I'm not exactly sure how to insert a
Valve before the authentication valve, which is (I think) what you'd
have to do.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message