Tullio,
just checking:
* Have you isolated this to be a tomcat 7 vs 8 issue or could it also be
a same-time change of the JVM? Network connection? Caching?
* What's the test setup that you're using? Memory tuned? Apache in
front? HTTP connector? AJP?
Olaf
Am 03.03.2016 um 12:06 schrieb Tullio Be
ig, I would curious to know if the tomcat ui or the
> catalina does not have a Xms and -Xmx, would it default to 400MB? I read this
> in another forum.
>
> -Gokul
>
>
> -Original Message-
> From: Olaf Kock [mailto:tom...@olafkock.de]
> Sent: Sunday, February 2
This is rather a Java than a tomcat question:
The JVM allocates memory based on whatever default your current JVM
version decides (you don't mention what version of Java you're on)
>From a text on
http://docs.oracle.com/javase/7/docs/technotes/guides/vm/gc-ergonomics.html
that's linked from my Ja
Am 09.02.2016 um 15:10 schrieb Christopher Schultz:
> On 2/9/16 6:28 AM, dku...@ccilindia.co.in wrote:
>
> > and then VA test results show that HSTS is not configured.
>
> It looks like "VA test" has a broken client: it's not issuing a valid
> HTTP request.
Just to make sure it's not the most o
I'll second Andre's answer: Just because you declare a 10d timeout, you
can't rely on the connection to stay up for that long. You can't even
rely on a connection to stay up during the download of a simple gif
(although that's so quick that the odds for connection termination are a
lot lower).
Thi
Please clarify your intent:
By default, tomcat has a /commented/ connector on 8443, which you can
configure&activate. You can activate as many connectors on as many ports
as you like. But if you have all applications on the same application
server anyways (and are using the same hostnames): Why bo
ther network cell.
Conclusion: Protection by IP-address-fixation calls for random problems
that are hard to reproduce.
Olaf
Am 12.01.2016 um 16:51 schrieb Christopher Schultz:
> Olaf,
>
> On 1/11/16 4:12 PM, Olaf Kock wrote:
>> Well, at least you do a bit of protection instead of just disa
Well, at least you do a bit of protection instead of just disabling the
session fixation security filter. However, be aware that potentially
many people might come from the same IP address - either because it's a
NATing home router or a big company's proxy server. Especially if you
want to attack s
Is there any chance that the first and correctly authenticated cookies
(despite the debug output "secure=false") are https-only cookies and
won't get transmitted in http, thus triggering new sessions? E.g. any
chance they get rewritten at another level (Apache httpd, ServletFilter,
others) to be se
201 - 209 of 209 matches
Mail list logo
