Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Allen,
...
Firebug must just be showing you selected pieces of information. Web
developer is showing you the browser's view of the world, which includes
the extra metadata.
Update your copy of Firebug if it's not clear
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Allen,
Williams, Allen wrote:
> Now, for the question: how is this ancillary information stored?
The cookie contains all this information. When the cookie is transmitted
to the browser, it contains all this information. Check it using an HTTP
sniffer
the session? I do use a different URL mapping
>> for this servlet because of a "CheckUser" problem I had way back that
>> started this whole chain.
>>
>> Next step is to download Frank's
>> http://www.omnytex.com/test.zip and get
>> that to wo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Allen,
Williams, Allen wrote:
> Yeah, I'm already sending some stuff over by URL anyway, but there seems
> to be some concern floating around the net regarding session hijacking
> if the session ID is readily available. However, although I wouldn't
>
gt; started this whole chain.
>
> Next step is to download Frank's
> http://www.omnytex.com/test.zip and get
> that to work (also, I see what you mean by Headers under Firebug
> Console, now, too- it is also repeated under Firebug Net).
>
> > -Original Message---
al Message-
> From: Christopher Schultz [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, May 22, 2007 10:04 AM
> To: Tomcat Users List
> Subject: Re: Session IDs & XMLHttpRequests
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Allen,
>
> Williams, Alle
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Allen,
Williams, Allen wrote:
> Will it work with POST as well as GET? Although I guess I'll soon find
> out;-)
It should work equally well with GET and POST. The browser should send
cookies with every type of request (not just GET and POST).
I str
L PROTECTED]
> Sent: Tuesday, May 22, 2007 9:17 AM
> To: Tomcat Users List
> Subject: Re: Session IDs & XMLHttpRequests
>
> As long as it's encoded on the url as shown in the example below (and
> defined in the servlet spec), tomcat will just pick it up
> an
-
> From: Frank W. Zammetti [mailto:[EMAIL PROTECTED]
> Sent: Monday, May 21, 2007 11:29 PM
> To: Tomcat Users List
> Subject: Re: Session IDs & XMLHttpRequests
>
> Let's start with this:
>
> http://www.omnytex.com/test.zip
>
> Just unzip into ${Tomcat}/webapps a
in for the help.
-Original Message-
From: Frank W. Zammetti [mailto:[EMAIL PROTECTED]
Sent: Monday, May 21, 2007 3:29 PM
To: Tomcat Users List
Cc: users@tomcat.apache.org; [EMAIL PROTECTED]
Subject: Re: Session IDs & XMLHttpRequests
I can say with 100% certainty that
I'll work on that today.
> -Original Message-
> From: Hassan Schroeder [mailto:[EMAIL PROTECTED]
> Sent: Monday, May 21, 2007 5:32 PM
> To: Tomcat Users List
> Subject: Re: Session IDs & XMLHttpRequests
>
> On 5/21/07, Williams, Allen <[EMAIL PROTECTE
7;m looking for.
> > There was no reference to cookies, and all the stuff that I
> set was OK.
> > Anyway, it seems to
> > be getting the cookie.
> >
> > Any ideas as to why the session wouldn't use this cookie,
> or why this
> > cookie might be inval
Let's start with this:
http://www.omnytex.com/test.zip
Just unzip into ${Tomcat}/webapps and try it... the first time you click
the button you should see an alert saying testAttribute is null, the
second time it should say "Test attribute has been set". Now, do this
in Firefox and check each
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Allen,
Williams, Allen wrote:
> 2. What is the difference in the servlet invocation between a regular
> URL invocation & an XMLHttpInvocation?
I'll be there isn't a difference, actually.
I had a problem in the past where something went wrong and I e
On 5/21/07, Williams, Allen <[EMAIL PROTECTED]> wrote:
As I said in my earlier post, the session being returned by getSession()
is a new one;
Can you create a simple test case WAR to demonstrate the failure?
I have seen no such problems using Prototype, YUI, or DWR, which
I'm currently incorpo
of this debugging, I have seen two JSESSIONIDs come over,
one valid, one not.
Thanks again for the help.
-Original Message-
From: Frank W. Zammetti [mailto:[EMAIL PROTECTED]
Sent: Monday, May 21, 2007 3:29 PM
To: Tomcat Users List
Cc: users@tomcat.apache.org; [EMAIL PROTECTED]
Subject: R
:[EMAIL PROTECTED]
> Sent: Monday, May 21, 2007 3:29 PM
> To: Tomcat Users List
> Cc: users@tomcat.apache.org; [EMAIL PROTECTED]
> Subject: Re: Session IDs & XMLHttpRequests
>
> I can say with 100% certainty that a servlet invoked with
> XMLHttpRequest
> **DOE
Frank W. Zammetti wrote:
I can say with 100% certainty that a servlet invoked with XMLHttpRequest
**DOES** have the same access to server-side objects as a non-AJAX
request. I say this based on two applications in production that do this
all day long, one Struts-based, one not. I also say it b
I can say with 100% certainty that a servlet invoked with XMLHttpRequest
**DOES** have the same access to server-side objects as a non-AJAX
request. I say this based on two applications in production that do this
all day long, one Struts-based, one not. I also say it based on a number
of other ap
> I'd say if there are differences, it's in the javascript of
> the client.
Yeah, the problem is that the guts of the client JS are pretty opaque.
> Have you used any sort of monitoring tool to find out if
> XMLHttpRequest
> is sending the session cookie?
No, but I was going to modify t
I'd say if there are differences, it's in the javascript of the client.
Have you used any sort of monitoring tool to find out if XMLHttpRequest
is sending the session cookie? Have you tried encoding the JSESSIONID
in the XMLHttpRequest via javascript?
--David
Williams, Allen wrote:
I had
I had posted this question to four different Java fora over four days
and gotten zero replies, when it occurred to me how stupid not to ask
the community that wrote Tomcat. I was just going to post this, which
is a summary that describes what I've found so far:
-- QUOTE --
In the interest of inf
22 matches
Mail list logo
