Hi,
I want my webapp to use "nice" URL for a user's homepage (e.g.
"http://server/user";).
Because of that, I need to have an empty path in the session cookie. So
far, I've been using "emptySessionPath".
However, "emptySessionPath" uses the session id from a cookie when
creating a brand new session. Beside the "session fixation"/phishing
problem, this poses problems with mod_jk load-balancing when the user
may have an old session cookie in the browser.
Let say the user has the cookie JSESSIONID=xxx.t1, i.e. managed by the
Tomcat server T1. Then the user navigates a specially formatted URL that
sends the request to another server (say the Tomcat server T2). Tomcat
then creates a new session but because of the cookie, it names it
"xxx.t1" (instead of a "yyy.t2"). From now on, all the requests will be
send to server T1 by the load-balancer and they will fail because the
session is invalid (since it was really created on T2).
So is there a way to have both session cookies with an empty path and
have tomcat use new session id?
Thanks,
Nahor
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
