tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Heinen <mhn4...@googlemail.com>
Subject Re: Tomcat 7 applet session problem
Date Thu, 07 Jul 2011 07:39:03 GMT
  It could be caused by the useHttpOnly attribute of the context to 
prevent cross-site scripting attacks.
HttpOnly cookies are not allowed to be passed to any client side script 
or Plug-in - such as a java applet.

see e.g. 
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html#Common_Attributes

So you have to
a) disable httpOnly cookies
b) pass a parameter into the applet with the sessionId and the applet 
has to use this sessionId in the requests.

Michael


Am 06.07.2011 23:18, schrieb Pid:
> On 06/07/2011 21:54, S Arvind wrote:
>> Hi All,
>>           Web application presently running in the tomcat 6 which has applet
>> in it. In that applet we make a connection to server using URL class and get
>> some data from the server after it loads. In this process we got error after
>> updating to the tomcat 7. The problem is the session between the web
>> application and the applet varies which runs in the same browser tab. Dont
>> know why in tomcat 7 the applet request was considered as separate session
>> but instead in tomcat 6 bot are considered as same session request. Is there
>> any configuration changes for it?
> Tomcat 7.0.x and later versions of 6.0.x change the session id after
> authentication*.  You can't rely on the session id remaining the same,
> the applet will need to check for session id changes in the cookie (or url).
>
>
> p
>
> * In order to prevent some session hijacking attacks
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message