> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > Subject: RE: Multiple JSESSIONID cookies being presented.
> I checked the error.jsp file and it does have session=true set, and if the > icon file > is missing, the error.jsp is definitely being sent. > So it looks like the possible solutions are: > 1) provide a favicon.ico file. > 2) remove the session=true setting from the error page. > 3) somehow not send the error.jsp when a sub-link (image, script, etc.) > results in a 404. > 4) Have the login page of APP2 provide it's own icon <link> directive (it > doesn't currently > have one.) Why would you ever want your error.jsp to create a session? Sounds like an easy DoS attack to me. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
