-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pid,
Pid wrote: > Christopher Schultz wrote: >> Bottom line: beware deploying applications inside one another's URI spaces. > > Do you mean 'inside' as in the (expected) outcome of > > app1.war > app1#part2.war It's worse than that, because Apache httpd was fronting the whole thing, and each application was in a separate Tomcat instance. Hence, no ability for Tomcat to differentiate between /legit/request/to/app1 and /nonlegit/request/to/app1/app2/whatever. Basically, I completely shot myself in the foot. ;) > ... and if not, I wonder what the implications for cookie handling > therein are. Since I was forwarding a cookie from one app to another, and the app first handling the request didn't use sessions at all, so a doubled-up JSESSIONID cookie make it impossible to figure out which one was the "right" one. Sure, we could have issued a second backend request to the other app, but why bother when your deployment is fubar'd. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl/vjQACgkQ9CaO5/Lv0PBcogCfQzeA8ql4M5rjhtQXVpRUWgEZ 0bUAoLOziTZwDSa6ExGzRgo62OGDBBy4 =8quS -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
