tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Juliano Daloia de Carvalho <judac2...@yahoo.com.br>
Subject Res: Res: Res: JSESSIONID Cookie handle customizing
Date Fri, 15 Oct 2010 17:43:20 GMT
Mark, I do not want to change how tomcat handle the sessionId.

I want to create one little class that handle on the server side the cookie 
information that can come on the header, make a preprocessing which will create 
one another information that I want to put on the attributes of the request. 

I do not want to change nothing on how tomcat handle session id.

I just need to process the request header before tomcat use it, so I can make 
the operation and create a new attribute and put the session id that tomcat 
knows.

I just need to know the first class on tomcat that receives the message from the 
client and the last one before send it to the client.

Tks

Juliano



----- Mensagem original ----
De: Mark Thomas <markt@apache.org>
Para: Tomcat Users List <users@tomcat.apache.org>
Enviadas: Sexta-feira, 15 de Outubro de 2010 13:56:07
Assunto: Re: Res: Res: JSESSIONID Cookie handle customizing

On 15/10/2010 17:47, Juliano Daloia de Carvalho wrote:
> Chuck, I can't say explicit why I need to use this info on the session. but is 

> related with security issues.
>  
> and you are right, is much more plausible to make this as you said, but I 
> can't afford to do that.

If you need to control the session ID then the right way to do this is
to extend the Manager and override generateSessionId(). Anything else is
going to be fragile, particularly when you factor in that Tomcat will
change the session ID on authentication to prevent session fixation.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


      

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message