On Thu, 20 Mar 2003, Aditya wrote:
> Date: Thu, 20 Mar 2003 21:40:20 -0800 > From: Aditya <[EMAIL PROTECTED]> > Reply-To: Tomcat Developers List <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: domain-wide session cookies? > > Under Tomcat-4 it looks like the session cookie is set in: > > org/apache/catalina/connector/HttpResponseBase.java > > and the code that sets it uses the default domain (which is equal to the > request hostname.domain.tld) when it sets the session cookie. I need to set > the cookie to be domain-wide, ie. ".domain.tld" however it seems silly to > hardcode it in the above class. > > Before I tackle this: > > 0) is there a better way to do it? > > 1) if not, is this the right place to do it? > > 2) what is the best place (ie. where in server.xml) to put an option to enable > this? > I personally prefer option 3 -- don't change anything. Exposing session id cookies to a broader audience than just the webapp that created them is a security vulnerability. If you need to share stuff across webapps, use some other cookie, not the container-managed one. > Thanks, > Adi Craig --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
