>Number: 2593 >Category: other >Synopsis: invalid domain in session cookie >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sat Jul 11 23:30:01 PDT 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: JServ 0.9.11/Apache 1.3.0 >Environment: Any OS, problem in Java code >Description: It seems like the domain set for the session cookie in JServServletManager.createSession() is invalid. At least the cookie is not accepted by Netscape Communicator 4.04 when the Servlet is requested with an IP address as the host part. >How-To-Repeat: Try creating a session, with HttpServletRequest.getSession(true) when a Servlet is requested through a URL with an IP address, e.g. http://127.0.0.1/servlet/TestServlet >Fix: If there's no special reason for setting the domain that I'm not aware of I suggest removing the setDomain() call from createSession() so that the default is used. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
