-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Wesley,
On 3/30/15 3:57 AM, Wesley Acheson wrote: > On Mon, Mar 30, 2015 at 2:17 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Wesley, > > On 3/29/15 1:15 PM, Wesley Acheson wrote: >>>> A team I am working with use tomcat 7 as their web container. >>>> The application cannot use url session tracking due to >>>> compliance reasons. >>>> >>>> One of the requirements we are facing is that the >>>> application should work in an iframe on the safari web >>>> browser, which blocks all cookies. > > Do you mean that Safari has been configured to block all cookies? > Because Safari won't block cookies just because you are using an > <iframe >>>> . > > >> Should have said its a third party domain name. That can't change >> easily. Should have wrote Safari blocks all third party cookies. Okay, that explains it. Let me ask you... why is a path parameter (;jsessionid=f00) unacceptable but not a request parameter? Or if it that you want to have the parameters be in POST-parameters only? In terms of forgery and/or capturing session identifiers, there's really no difference from a security perspective of any of these strategies. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVGXArAAoJEBzwKT+lPKRYzcgQAJc4Kean12GHpSv63+I8TaVT cNV7r7Rq+HYMpRIJG8qVFd95ic0/OVPkm5dueO7QpIA/EBVPSnWi/fItcZt9tXJq m90salW0ey5jF8L8C9CTJ0z1j4PnSy9jlCIS/oU/9F2UrPGGUkeWdYy5lQWM+VDr rPcjxvim7QBWg6+toATt9gnKeH3zHFoLkHF0DdMSlbO2Ro0GTO/Mm73iIXRiwvzc hN1auq8Mb0WVXJPTnLGMIMg3+NF/F7mH8oFYhNh7JvmnFwXapLLZAteEKHkkWu+i efUAU1mo2dlQcKasLUqAzcWIqg3UxW3rCGjHM6GoLnyr2C9nEf88wF3VI2FiwvxF n2hVYwsA29gZSqlpIsYNDcJZ3NKFfKlTbGxzrjaP6FN8WvsLm6BpuIV1ssDsl/gy tzEHyWVN4eJJe13QfuuSURE0FFlcpnl2rrYl60FJBnl2osNBWoepYwjjgRS0+3qL wV5BqJMpDiTekEOAmxncA/DxDEIsWqDdDGCrvcMxWd3500HvV7KsdmEbnP7CKmPF iuPvKrdZVb9QRH4Lzk0OQh/kS/pEAZjJXEy+Jgy07FlIYZs0G5DohkV/bTrU2OvX ZfOYkOk+f/D644db0WAOd2M161YEUBBPctFYcuL18nS/7sfk4jh8boWb9vqzR7G3 7vdeoGUmCwolP/kl9zMO =2l/K -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
