On Tue, 22 Oct 2002, Jan Kunzmann wrote:
> Date: Tue, 22 Oct 2002 11:49:42 +0200 > From: Jan Kunzmann <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Re: Domainwide JSESSIONID cookie? > > Hi, > > Craig R. McClanahan wrote: > > > > On Mon, 21 Oct 2002, Jan Kunzmann wrote: > >>[...] > >>Is there any way to force Tomcat to create a domainwide JSESSIONID > >>cookie without any context path (just for the whole mysite.com)? > >> > > > > > > Doing this > > would also be a security vulnerability, because it would mean exposing > > session ids to clients of your server that are not running that webapp > > (therefore running the risk of some malicious client hijacking the > > session without even having to snoop the network to find a valid session > > id). > > There is no "running" or "not running" my webapp. The whole site is the > webapp, but for some reasons it is splittet in several subdomains. I > think I need to drill into Tomcat sources for this, don't I? > Or use something other than sessions, managed by your own cookie. That way, at least, you wouldn't be stuck with a non-standard version of Tomcat from now on. > Jan > Craig -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
