tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Fix the cookie path with mod_jk
Date Tue, 19 Apr 2011 01:53:35 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yu (Kikuchi?),

On 4/18/2011 9:04 PM, Yu Kikuchi wrote:
> Sorry. The point of view is very important but I didn't mention about it.
> 
> To be exact, I want to suffix slash "/" to the cookie path.
> 
> From) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo
> To  ) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo/
> 
> My application returns cookie with "Path=/foo" and I think it has
> security issue
> that the browsers send the cookie to all of the directory that name
> begins with
> "/foo". (such as /foobar, /food, etc.)
> 
> So I want to know whether the path could be fixed without changing my
> apps or not.

If you have a client (browser) that does that, it is very broken. Can
you demonstrate this anywhere?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2s6x8ACgkQ9CaO5/Lv0PDWdQCgqY5aZohs/QtVt9Ptvarpw5fF
oJQAoLdunKUKs7AnRWG0nYjxyvZoAPHH
=7DZ5
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message