2010/11/30 Andrea Corti <ilgrandemazin...@gmail.com>:
> Hi, i discovered that (perhaps) the problem raise in the following rows in
> the Request class:
>
> // Attempt to reuse session id if one was submitted in a cookie
> // Do not reuse the session id if it is from a URL, to prevent
> possible
> // phishing attacks
> if (connector.getEmptySessionPath()
> && isRequestedSessionIdFromCookie()) {
> session = manager.createSession(getRequestedSessionId());
> } else {
> session = manager.createSession(null);
> }
>
> I have an empty sessionpath =true and the sessionid is stored in the
> jsessionid cookie so the code goes in the first if reusing the sessionid.
> I don't understand very well the comment in the code where it says "Attempt
> to reuse session id if one was submitted in a cookie"; is there any reason
> for this?
> Is it correct to comment this if statement in order to always call the
> createSession(null) or is there another way in order to workaround this?
>
> Thanks in advance.
>
That will mean that every web application will use its unique value of
sessionid. Thus you can never share sessionid between them.
Effectively, that is not far away from just setting emptySessionPath="false".
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#Common_Attributes
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
