tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Applet, session-ID - TC 6 vs. TC7
Date Tue, 18 Jan 2011 18:47:24 GMT
Hash: SHA1

To whom it may concern,

On 1/15/2011 7:36 AM, wrote:
>> Well, saying you use Form auth was misleading, wasn't it?
> Is called FormAuth in Spring too.

While that may be true, simply stating that you are using FORM
authentication usually leads people to think that you are using the
container's FORM authenticator. Were we supposed to guess that you were
using Spring?

>> If you're using Spring Security maybe your question would be better
>> addressed to one of the Spring forums?
> Hm. But it works in TC 6.0 with the same version of spring.

It is still worth asking the Spring folks. Presumably, they know how
their authenticator interacts with various containers.

>>>> Are you unable to retrieve the new session id?
>>> This is all done magically by the Applet-Java-Runtime.
>> Really... ?
> Somehow the Java-Browser-Plugin is communicating with the browser and when
> you are doing HTTP request from within an applet, the session cookie gets
> automatically sent too.

If the applet is sniffing the session id from the browser, then it
should always be correct: when Tomcat changes your session id, it tells
the browser what the new one is using a Set-Cookie response header. If
that occurs /before/ the applet loads, then the applet should never see
the old session id and you shouldn't have a problem.

It sounds like your situation is a bit more complicated. Perhaps you
could walk us through the scenario?

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message