tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Applet, session-ID - TC 6 vs. TC7
Date Sat, 15 Jan 2011 16:51:04 GMT
On 15/01/2011 16:39, spring@gmx.eu wrote:
>> I have a web app where the user logs in and starts an applet 
>> which uploads a file and then opens a page in the browser. I 
>> use Java 1.6_16.
>>
>> When I do this in TC 6.0.13 the session-ID stays the same 
>> after login. Fine.
>> When I do this in TC 7.0.5 the session-ID changes when the 
>> applet starts to communicate with the server. So the user is 
>> losing his login and the app is broken.
>>
>> What feature in TC 7 leads to this problem? The new session 
>> fixation prevention?
> 
> OK, I think I've got it.
> Somewhat forces httponly cookies in IE, FF, Chrome. NOT in safari. Same
> machine, same java.
> After that it seems that that the transfer of cookies between the browser
> and the java-plugin does not work anymore.
> 
> I do not understand, why httponly is forced, because my web.xml is like
> this:
> 
> 		<session-config>
> 			<session-timeout>30</session-timeout>
> 			<cookie-config>
> 				<http-only>false</http-only>
> 			</cookie-config>
> 		</session-config>
> 
> 
> How can I solve this?

You will also need to set useHttpOnly=false on the Context. For
security, Tomcat sets the httpOnly flag on the cookie if either of these
are true.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message