tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Tomcat7 - Firefox - SWF Upload
Date Wed, 09 Feb 2011 11:18:15 GMT
On 09/02/2011 09:19, Gabriele Bulfon wrote:
> The conf/context.xml is the default one from Tomcat7 distribution.
> My webapp context.xml just contains resources definitions such as jdbc pools.
> Where should I place this "
> useHttpOnly"
> flag, if this is the solution?

In your app's /META-INF/context.xml change

<Context>
...
</Context>

to

<Context useHttpOnly="false">
...
</Context>

> My real question is about the jsessionid that is stated to be changed on tomcat7,
> so maybe swfupload is not able to track the session and run correctly.

The reason is that the httpOnly attribute of a cookie prevents the
cookie from being available to scripts and applets. This prevents the
applet reading the session ID.

Setting useHttpOnly="false" stops the httpOnly flag from being added to
the cookie and makes it available to scripts and applets.

Be aware that disabling the httpOnly attribute on the cookie
significantly increases the impact of any XSS vulnerabilities in your
web application.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message