Hi there, sorry for the late in give you news.
First I would like to thank, Pid, Mark, Charles and Christopher for the responses. I've solved my problem using valve ( Thanks Mark :) ), I extended the BaseValve and its working perfectly (is in production right now). I didn't know of Valve existence.It was exactly what I needed. With it I could intercept the "Set-Cookie" and the incoming "cookie". Now instead of passing the jsessionid only. I put other 2 information without changing the length of the jsessionid (I use Base 64), with those two extra information I'm able to identify the request id and the request signature, avoiding replayed requests and man-in-the-middle attack. now on every request the cookie is totally different even on the browser cookie. Thank you all! Best Regards Juliano -------------------------------------------------------------- Juliano Daloia de Carvalho ------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
