tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: encodeURL, jsessionid and mod_rewrite ?
Date Wed, 04 Oct 2017 07:58:19 GMT
On 04.10.2017 07:40, Peter Kreuser wrote:
>
> Peter Kreuser
>
>> Am 04.10.2017 um 02:44 schrieb Christopher Schultz <chris@christopherschultz.net>:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Laurant,
>>
>>> On 10/3/17 5:17 PM, Laurent Perez wrote:
>>> I'm using apache+mod_proxy+mod_rewrite as a tomcat frontend. A
>>> "foo" war is deployed at /foo context path under tomcat. The /foo
>>> path is not public, apache has a rewrite rule defined as : /bar/*
>>> rewrites internally to /foo/*.
>>>
>>> I'm using jstl and its <c:url value="page.jsp"> for every url in my
>>> jsps to gain the ;jsessionid from encodeURL whenever jsessionid
>>> cookie is not yet set (1st requests)
>>>
>
> adding to Christopher, accepting the jsessionid from the Url is a bad security risk (Session
fixation). So you should disable that by accepting the session only via COOKIE via
>
> <session-config><tracking-mode>COOKIE</tracking-mode> </session-config>
> then at least this rewriting problem is gone.
>
> Peter
>

Well, a cookie can also be path-specific.  Which is only *one* of these issues which we 
are talking about, when we say "don't".



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message