Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 992 invoked from network); 9 Feb 2011 11:45:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 9 Feb 2011 11:45:14 -0000 Received: (qmail 14678 invoked by uid 500); 9 Feb 2011 11:45:11 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 14364 invoked by uid 500); 9 Feb 2011 11:45:08 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 14355 invoked by uid 99); 9 Feb 2011 11:45:07 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Feb 2011 11:45:07 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [217.133.203.66] (HELO www.sonicle.com) (217.133.203.66) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Feb 2011 11:45:01 +0000 Received: from localhost (localhost [127.0.0.1]) by www.sonicle.com (Postfix) with ESMTP id 15654BC032 for ; Wed, 9 Feb 2011 12:31:40 +0100 (CET) Received: from www.sonicle.com ([127.0.0.1]) by localhost (www [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09974-09 for ; Wed, 9 Feb 2011 12:31:37 +0100 (CET) Received: from www (www [192.168.222.200]) by www.sonicle.com (Postfix) with ESMTP id 50EB8BBD17 for ; Wed, 9 Feb 2011 12:31:35 +0100 (CET) Date: Wed, 9 Feb 2011 12:31:35 +0100 (CET) From: Gabriele Bulfon To: Tomcat Users List Message-ID: <26984895.108.1297251095830.JavaMail.root@www> In-Reply-To: <4D5277F7.9080905@apache.org> References: <4547867.2.1297077960227.JavaMail.root@www> <4D4FDB6E.8030003@pidster.com> <14752391.11.1297082275600.JavaMail.root@www> <4D4FFE06.9020505@pidster.com> <9948178.26.1297087998565.JavaMail.root@www> <4D50068A.1030108@apache.org> <21492528.73.1297243178023.JavaMail.root@www> <4D5277F7.9080905@apache.org> Subject: Re: Tomcat7 - Firefox - SWF Upload MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_106_3344945.1297251095829" X-Virus-Scanned: amavisd-new at sonicle.com ------=_Part_106_3344945.1297251095829 Content-Type: multipart/alternative; boundary="----=_Part_107_14817303.1297251095829" ------=_Part_107_14817303.1297251095829 Content-type: text/plain Content-Transfer-Encoding: 7bit I think I already tried placing that flag in my context.xml where you suggested, but it didn't work.... I'll try again and let you know. Thanks, Gabriele. ---------------------------------------------------------------------------------- Da: Mark Thomas A: Tomcat Users List Data: 9 febbraio 2011 12.18.15 CET Oggetto: Re: Tomcat7 - Firefox - SWF Upload On 09/02/2011 09:19, Gabriele Bulfon wrote: The conf/context.xml is the default one from Tomcat7 distribution. My webapp context.xml just contains resources definitions such as jdbc pools. Where should I place this " useHttpOnly" flag, if this is the solution? In your app's /META-INF/context.xml change ... to ... My real question is about the jsessionid that is stated to be changed on tomcat7, so maybe swfupload is not able to track the session and run correctly. The reason is that the httpOnly attribute of a cookie prevents the cookie from being available to scripts and applets. This prevents the applet reading the session ID. Setting useHttpOnly="false" stops the httpOnly flag from being added to the cookie and makes it available to scripts and applets. Be aware that disabling the httpOnly attribute on the cookie significantly increases the impact of any XSS vulnerabilities in your web application. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org ------=_Part_107_14817303.1297251095829 Content-type: text/html Content-Transfer-Encoding: quoted-printable
I think I already tri= ed placing that flag in my context.xml where you suggested, but it didn'= ;t work....
I'll try again and let you know.
Thanks,
Gabriele.=





------------------------------------= ----------------------------------------------

Da: Mark Thomas <m= arkt@apache.org>
A: Tomcat Users List <users@tomcat.apache.org>=
Data: 9 febbraio 2011 12.18.15 CET
Oggetto: Re: Tomcat7 - Firefox -= SWF Upload

On 09/02/2011 09:19, Gab= riele Bulfon wrote:
> The conf/context.xml is the default one from To= mcat7 distribution.
> My webapp context.xml just contains resources d= efinitions such as jdbc pools.
> Where should I place this "
= > useHttpOnly"
> flag, if this is the solution?

In you= r app's /META-INF/context.xml change

<Context>
...
&= lt;/Context>

to

<Context useHttpOnly=3D"false"= ;>
...
</Context>

> My real question is about the = jsessionid that is stated to be changed on tomcat7,
> so maybe swfupl= oad is not able to track the session and run correctly.

The reason i= s that the httpOnly attribute of a cookie prevents the
cookie from being= available to scripts and applets. This prevents the
applet reading the = session ID.

Setting useHttpOnly=3D"false" stops the httpOn= ly flag from being added to
the cookie and makes it available to scripts= and applets.

Be aware that disabling the httpOnly attribute on the = cookie
significantly increases the impact of any XSS vulnerabilities in = your
web application.

Mark



-----------------------= ----------------------------------------------
To unsubscribe, e-mail: u= sers-unsubscribe@tomcat.apache.org
For additional commands, e-mail: user= s-help@tomcat.apache.org




------=_Part_107_14817303.1297251095829-- ------=_Part_106_3344945.1297251095829 Content-Type: text/plain; charset=us-ascii --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org ------=_Part_106_3344945.1297251095829--