> -----Original Message----- > From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] > Sent: Thursday, September 10, 2015 12:01 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: RE: Multiple JSESSIONID cookies being presented. > > > From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > > Subject: RE: Multiple JSESSIONID cookies being presented. > > > I checked the error.jsp file and it does have session=true set, and if > the icon file > > is missing, the error.jsp is definitely being sent. > > > So it looks like the possible solutions are: > > 1) provide a favicon.ico file. > > 2) remove the session=true setting from the error page. > > 3) somehow not send the error.jsp when a sub-link (image, script, > etc.) results in a 404. > > 4) Have the login page of APP2 provide it's own icon <link> directive > (it doesn't currently > > have one.) > > Why would you ever want your error.jsp to create a session? Sounds like > an easy DoS attack to me. > > - Chuck > Programmers. What more do I need to say....
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
