tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gabriele Bulfon <gbul...@sonicle.com>
Subject Re: Tomcat7 - Firefox - SWF Upload
Date Wed, 09 Feb 2011 11:31:35 GMT
I think I already tried placing that flag in my context.xml where you suggested, but it didn't
work....
I'll try again and let you know.
Thanks,
Gabriele.
----------------------------------------------------------------------------------
Da: Mark Thomas
A: Tomcat Users List
Data: 9 febbraio 2011 12.18.15 CET
Oggetto: Re: Tomcat7 - Firefox - SWF Upload
On 09/02/2011 09:19, Gabriele Bulfon wrote:
The conf/context.xml is the default one from Tomcat7 distribution.
My webapp context.xml just contains resources definitions such as jdbc pools.
Where should I place this "
useHttpOnly"
flag, if this is the solution?
In your app's /META-INF/context.xml change
...
to
...
My real question is about the jsessionid that is stated to be changed on tomcat7,
so maybe swfupload is not able to track the session and run correctly.
The reason is that the httpOnly attribute of a cookie prevents the
cookie from being available to scripts and applets. This prevents the
applet reading the session ID.
Setting useHttpOnly="false" stops the httpOnly flag from being added to
the cookie and makes it available to scripts and applets.
Be aware that disabling the httpOnly attribute on the cookie
significantly increases the impact of any XSS vulnerabilities in your
web application.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message