tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Applet, session-ID - TC 6 vs. TC7
Date Sat, 15 Jan 2011 16:51:04 GMT
On 15/01/2011 16:39, wrote:
>> I have a web app where the user logs in and starts an applet 
>> which uploads a file and then opens a page in the browser. I 
>> use Java 1.6_16.
>> When I do this in TC 6.0.13 the session-ID stays the same 
>> after login. Fine.
>> When I do this in TC 7.0.5 the session-ID changes when the 
>> applet starts to communicate with the server. So the user is 
>> losing his login and the app is broken.
>> What feature in TC 7 leads to this problem? The new session 
>> fixation prevention?
> OK, I think I've got it.
> Somewhat forces httponly cookies in IE, FF, Chrome. NOT in safari. Same
> machine, same java.
> After that it seems that that the transfer of cookies between the browser
> and the java-plugin does not work anymore.
> I do not understand, why httponly is forced, because my web.xml is like
> this:
> 		<session-config>
> 			<session-timeout>30</session-timeout>
> 			<cookie-config>
> 				<http-only>false</http-only>
> 			</cookie-config>
> 		</session-config>
> How can I solve this?

You will also need to set useHttpOnly=false on the Context. For
security, Tomcat sets the httpOnly flag on the cookie if either of these
are true.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message