tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: Multiple JSESSIONID cookies being presented.
Date Thu, 10 Sep 2015 17:00:40 GMT
> From: Jeffrey Janner [mailto:Jeffrey.Janner@PolyDyne.com] 
> Subject: RE: Multiple JSESSIONID cookies being presented.

> I checked the error.jsp file and it does have session=true set, and if the icon file

> is missing, the error.jsp is definitely being sent.

> So it looks like the possible solutions are:
> 1) provide a favicon.ico file.
> 2) remove the session=true setting from the error page.
> 3) somehow not send the error.jsp when a sub-link (image, script, etc.) results in a
404.
> 4) Have the login page of APP2 provide it's own icon <link> directive (it doesn't
currently 
> have one.)

Why would you ever want your error.jsp to create a session?  Sounds like an easy DoS attack
to me.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message