-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Phillipe,
On 2/14/18 6:50 PM, Philippe Busque wrote: > I'm migrating from Tomcat 8.0.X to Tomcat 9.0.5 and I have a issue > I've been dragging for too long that I wise to correct. I have been > searching for a workaround and so far, I've found nothing so far > that work out of the box. > > Here is the situation: > > We have a single webapp that can handle multiple domains, some of > which are sub-domains. Example: www.example1.com, > images.example1.com, assets.example1.com, www.example2.com > > As far as I know Tomcat only allows us to set define a domain > through a sessionCookieDomain in the context. But this domain is > fixed. If I set sessionCookieDomain=".example1.com", this will > break www.example2.com and vice-versa. > > If I leave sessionCookieDomain empty, I don't get sub-domain > support as no domain is set and the browser fallback to the current > domain serviced. > > All the manipulation of the session cookie are managed in the > org.apache.catalina.connector.Response class and is not > customizable. > > So far, when we were using Tomcat 8, we were able to do a > workaround by overriding the method addSessionCookieInternal inside > the Response class through a facade, but this is a dirty hack and I > would rather not alter any of Tomcat's inner classes... And a proxy > is out of the question, Response not being an interface. > > The other workaround I can think of is splitting *.example1.com > & example2.com into 2 separate tomcat instance or webapps, but that > would only duplicate the resources required (ram + disk space) for > as many different domains we decide to support. > > > Is there therefor a better way to handle manipulating session > cookies, or is it frozen and out of reach for multiple subdomain? > > A "SessionCookieProcessor", which would take the context & the > cookie, would be most welcome for such a case This all comes down to how cookies actually work. The simply trust is that the web browser isn't going to let you set a cookie for another domain. I'm not even sure how your "hack" even worked. You said that you couldn't use a Proxy... I assume you mean java.lang.reflect.Proxy, right? Well... what about a reverse-proxy (a networking component) that serves all applications under a single domain name? (e.g. examples-all.com)? Then all applications can appear to be using the same shared domain name? If you can't do that, and you really need to support multiple hostnames, then you'll have to do something like trampolining: 1. Client makes a request to https://www.example1.com/resource 2. Respond with 302 ; Set-Cookie: JSESSIONID=foo ; Location:https://www.exmaple2.com/create-session 3. Client follows redirect to https://www.example2.com/create-session 4. Respond with 302 ; Set-Cookie JSESSIONID=bar ; Location: https://www.example1.com/back-from-hostname2 5. Do whatever you need to do afterwards. This is awkward, but it will work. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqHLnIACgkQHPApP6U8 pFi8Vw//V3H/owH7QbLlok99pF5LJ3BHxHQya2AIg5+q2PtqHFSx4dANERF0GL4h /wsdb6UxnQnIkn4rCSSJ46ZMfNTVzkocJPKpWFOIbBrBeuMvqG3Zdtvn/xkAlEFy Bb7kUr3ZFNxiGE+6mZ2bwD79N9FosvWi3Uh7dH2brskcwf+IVvkSd2KR3GsW6Kiy kqovAkAAF+c1BvfnWZrtljoErAUtuwSVELRCxwf+0WvyktrDDLz2EZjP3WlevBck cJyZ0o88dLTN7Apcb054kGVvbY1r0peOkJjmfxs4n/FnOtOTiL6fBIYe+PLBgS0w UNH2XQfBP8+a8cNHi8/8kUtuprHctx+U5aldto+Gm96h9CnDOiwBBJCVx7JN0w9O kdV5yYGLLgHsPOFStFfOl7Oz9I7xNZaHkPSY9X5L1oue8mEQri9aTSUAHW9d2lc7 84Uu543p7prxjgiDhl+jhg7ILxBmKU8NvoAJcYsDQLnDi6KFfeN9rY69QEVE/t9Y l6PfK+QTgPxnlGkwptHayAPr+PyiQIlczpLRyBOwBNCcKc3fNBkb8NTrxXVSxgdB /6tseX0aNQgaTL9+aMxRSMff7vCVU+NZv8LEVWGuYGe5yIc5RtvulvLPwpTZ2hgj 4NLQonTHcj417+xjavtkZjvUKEL53G++7mrYF/Ghs/1z4NoFWok= =RCyY -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
