[jboss-dev-forums] [Design of JBoss/Tomcat Integration] - Re: [JBAS-2568] Passing a cookie header with a spurious JSES
nestor.urquiza@gmail.com
do-not-reply at jboss.com
Thu Jan 31 16:09:08 EST 2008
Hi guys,
This is an old post and I have been struggling with this issue for a while trying to understand my best options.
The only thing that can not be argued is that accepting "external to the application session ids" has nothing to deal with "which is the path used for the session cookie to be stored".
Let us take my personal problem to illustrate with a real example. A clustered environment composed by apache using modjk to redirect the requests to a particular tomcat container:
1. Apache receives request http://domain/index.jsp
2. which is translated to http://domain/context/index.jsp and requested to tomcat
3. If Tomcat has emptySessionPath="true" then the whole application works OK but a given client could insert external cookies.
4. If Tomcat has emptySessionPath="false" then the application is protected from external clients to set the session cookie but then any request missing the context part of the URL will be considered part of a new session since the session cookie will be stored in path="/context" instead of path="".
What we really need is:
A. No external cookies allowed.
B. Session cookies to be stored in path="/"
Am I missing something? Thanks in advance for any help!
-Nestor
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4125297#4125297
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4125297
More information about the jboss-dev-forums
mailing list