On 15/01/2011 16:39, spr...@gmx.eu wrote: >> I have a web app where the user logs in and starts an applet >> which uploads a file and then opens a page in the browser. I >> use Java 1.6_16. >> >> When I do this in TC 6.0.13 the session-ID stays the same >> after login. Fine. >> When I do this in TC 7.0.5 the session-ID changes when the >> applet starts to communicate with the server. So the user is >> losing his login and the app is broken. >> >> What feature in TC 7 leads to this problem? The new session >> fixation prevention? > > OK, I think I've got it. > Somewhat forces httponly cookies in IE, FF, Chrome. NOT in safari. Same > machine, same java. > After that it seems that that the transfer of cookies between the browser > and the java-plugin does not work anymore. > > I do not understand, why httponly is forced, because my web.xml is like > this: > > <session-config> > <session-timeout>30</session-timeout> > <cookie-config> > <http-only>false</http-only> > </cookie-config> > </session-config> > > > How can I solve this?
You will also need to set useHttpOnly=false on the Context. For security, Tomcat sets the httpOnly flag on the cookie if either of these are true. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
