Jonas-
Many larger organisations are starting to discourage reading/writing cookies as
it allows one to introduce Cross Domain Security breaches as well as storing
potential viruses
Have you looked at a strategy of url-rewrite or sending all information to the
server including <j>sessionid?
http://httpd.apache.org/docs/2.0/misc/rewriteguide.html
?Martin______________________________________________Disclaimer and
confidentiality noteEverything in this e-mail and any attachments relates to
the official business of Sender. This transmission is of a confidential nature
and Sender does not endorse distribution to any party other than intended
recipient. Sender does not necessarily endorse content contained within this
transmission.> Date: Sun, 25 Nov 2007 17:10:50 +0100> From: [EMAIL PROTECTED]>
To: users@tomcat.apache.org> Subject: Re: Cross-domain calls when third-party
cookies are not allowed> > I believe if you set the p3p policy correctly (in
your tomcat) ie7> will accept the third party cookies.> > regards> Leon> > On
Nov 22, 2007 11:05 PM, J.Gustafsson <[EMAIL PROTECTED]> wrote:> >> > Hi,> > I
have an interesting problem (I think) that I wonder if someone could> > assist
me with.> >> > I want to do cross-domain scripting. I have some java-script
that makes a> > cross-domain http request to a Tomcat server. This works fine
as long as> > third-party cookies are allowed in the browser. Tomcat can keep
track of the> > session by the jsessionId. If cookies are not allowed at all in
the browser,> > I simple let the java-script decide to not make a cross-domain
call at all.> > Those are not interesting for my application. My problems
appear when first> > part cookies are allowed, but third-party is not (the
default settings in> > IE7 I think). The java-script will think that cookies
are allowed and make> > the cross-domain http call. Since third party cookies
are not allowed,> > Tomcat is not allowed to set a jsessionId on a cookie, but
instead add the> > jsessionId on the URL.> >> > This is unfortunately not good
enough for me. When third-party cookies are> > allowed, my java-script provides
a first-part cookie in the cross-domain> > http call. I use this value to
identify the user, and set it on the session> > created by Tomcat. If however
Tomcat cannot set cookies, since third-party> > cookie is not allowed, I simply
cannot do like this.> >> > So what do I actually want to achieve?> > I would
like Tomcat to bypass its "sanity" check when URL-rewrite is done. I> > want
Tomcat to create a session with a key (jsessionId) I provides it with.> > Does
this sound totally insane? Maybe it is. Perhaps there is another> > solution I
have not thought of?> >> > I know there is another solution, running Tomcat
session-less and write to a> > file/db for each call, but because of
performance reasons, I would like to> > avoid this.> >> > Any ideas/proposals?>
>> > /jonas> >> > --> > View this message in context:
http://www.nabble.com/Cross-domain-calls-when-third-party-cookies-are-not-allowed-tf4858744.html#a13904100>
> Sent from the Tomcat - User mailing list archive at Nabble.com.> >> >> >
---------------------------------------------------------------------> > To
start a new topic, e-mail: users@tomcat.apache.org> > To unsubscribe, e-mail:
[EMAIL PROTECTED]> > For additional commands, e-mail: [EMAIL PROTECTED]> >> >>
> ---------------------------------------------------------------------> To
start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail:
[EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED]>
_________________________________________________________________
You keep typing, we keep giving. Download Messenger and join the i’m Initiative
now.
http://im.live.com/messenger/im/home/?source=TAGLM
