RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
Ok, I was wrong. I am reading up on it now and it apparently only disables the session cookie, which might be what I'm seeking. Thanks for the help. - Jonathan -Original Message- From: Jonathan Kushner [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2008 2:44 PM To: Tomcat Users List Subject: RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append Sorry - forgot to mention. We are using cookies in various places to track different actions, so disabling cookies cannot be taken into account. Thanks for the technique though. -Original Message- From: Jonathan Kushner [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2008 2:40 PM To: Tomcat Users List Subject: RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append I will forward your response about upgrading tomcat to the appropriate team, however we are only using tomcat internally so I do not believe it's a major concern. In regards to the current issue, I'm at lost on the appropriate measures to take. Here's my original email which was sent to the system administrator. Maybe you can take a gander at it and help me understand a better approach to take without modifying the codebase: --- START --- I'm currently working on a Seamus Issue which disallows the user from operating on separate session namespaces within the same browser instance. For example, when a user instantiates a new tab and loads a separate story, the second story will overwrite the first since we have no measure to separate these separate tabular "sessions". This effect (untested on my end) should cascade from the original parent to the last child instance, being that each load will just overwrite the current data container. There are a couple different methods to handle this; however the easiest approach would be to modify the tomcat configuration to append the JSESSION Cookie Id to the URL String. By doing this, we could then create a separate namespace for each distinct tab-load, and essentially delegate out the data to each specific session namespace. The downside to this is that because it's a full system change, it will most likely require a full regression test. We are seeking alternate approaches within the code-base, however if this approach seems manageable, it seems to be the most feasible method. What are your feelings on this? --- END --- Thanks for the help. - Jonathan -Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2008 2:14 PM To: Tomcat Users List Subject: RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append > From: Jonathan Kushner [mailto:[EMAIL PROTECTED] > Subject: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append If you're really running on 5.5.2, you need to move up - ASAP. Lots and lots of fixes, including security-related ones, have gone in since that version was released over four years ago. > I'm working with a current session identity issue between > separate browser instances, and have decided that the most > plausible solution is to reconfigure tomcat to auto-append > the JSESSION ID at the end of each URL. You will at least need to disable cookies: http://tomcat.apache.org/tomcat-5.5-doc/config/context.html%20Attributes Beyond that, I'm not aware of any automatic way of appending JSESSIONID; your webapp has to participate. Look at this message for one such technique: http://marc.info/?l=tomcat-user&m=117583468505179&w=2 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
Sorry - forgot to mention. We are using cookies in various places to track different actions, so disabling cookies cannot be taken into account. Thanks for the technique though. -Original Message- From: Jonathan Kushner [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2008 2:40 PM To: Tomcat Users List Subject: RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append I will forward your response about upgrading tomcat to the appropriate team, however we are only using tomcat internally so I do not believe it's a major concern. In regards to the current issue, I'm at lost on the appropriate measures to take. Here's my original email which was sent to the system administrator. Maybe you can take a gander at it and help me understand a better approach to take without modifying the codebase: --- START --- I'm currently working on a Seamus Issue which disallows the user from operating on separate session namespaces within the same browser instance. For example, when a user instantiates a new tab and loads a separate story, the second story will overwrite the first since we have no measure to separate these separate tabular "sessions". This effect (untested on my end) should cascade from the original parent to the last child instance, being that each load will just overwrite the current data container. There are a couple different methods to handle this; however the easiest approach would be to modify the tomcat configuration to append the JSESSION Cookie Id to the URL String. By doing this, we could then create a separate namespace for each distinct tab-load, and essentially delegate out the data to each specific session namespace. The downside to this is that because it's a full system change, it will most likely require a full regression test. We are seeking alternate approaches within the code-base, however if this approach seems manageable, it seems to be the most feasible method. What are your feelings on this? --- END --- Thanks for the help. - Jonathan -Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2008 2:14 PM To: Tomcat Users List Subject: RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append > From: Jonathan Kushner [mailto:[EMAIL PROTECTED] > Subject: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append If you're really running on 5.5.2, you need to move up - ASAP. Lots and lots of fixes, including security-related ones, have gone in since that version was released over four years ago. > I'm working with a current session identity issue between > separate browser instances, and have decided that the most > plausible solution is to reconfigure tomcat to auto-append > the JSESSION ID at the end of each URL. You will at least need to disable cookies: http://tomcat.apache.org/tomcat-5.5-doc/config/context.html%20Attributes Beyond that, I'm not aware of any automatic way of appending JSESSIONID; your webapp has to participate. Look at this message for one such technique: http://marc.info/?l=tomcat-user&m=117583468505179&w=2 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
I will forward your response about upgrading tomcat to the appropriate team, however we are only using tomcat internally so I do not believe it's a major concern. In regards to the current issue, I'm at lost on the appropriate measures to take. Here's my original email which was sent to the system administrator. Maybe you can take a gander at it and help me understand a better approach to take without modifying the codebase: --- START --- I'm currently working on a Seamus Issue which disallows the user from operating on separate session namespaces within the same browser instance. For example, when a user instantiates a new tab and loads a separate story, the second story will overwrite the first since we have no measure to separate these separate tabular "sessions". This effect (untested on my end) should cascade from the original parent to the last child instance, being that each load will just overwrite the current data container. There are a couple different methods to handle this; however the easiest approach would be to modify the tomcat configuration to append the JSESSION Cookie Id to the URL String. By doing this, we could then create a separate namespace for each distinct tab-load, and essentially delegate out the data to each specific session namespace. The downside to this is that because it's a full system change, it will most likely require a full regression test. We are seeking alternate approaches within the code-base, however if this approach seems manageable, it seems to be the most feasible method. What are your feelings on this? --- END --- Thanks for the help. - Jonathan -Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2008 2:14 PM To: Tomcat Users List Subject: RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append > From: Jonathan Kushner [mailto:[EMAIL PROTECTED] > Subject: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append If you're really running on 5.5.2, you need to move up - ASAP. Lots and lots of fixes, including security-related ones, have gone in since that version was released over four years ago. > I'm working with a current session identity issue between > separate browser instances, and have decided that the most > plausible solution is to reconfigure tomcat to auto-append > the JSESSION ID at the end of each URL. You will at least need to disable cookies: http://tomcat.apache.org/tomcat-5.5-doc/config/context.html%20Attributes Beyond that, I'm not aware of any automatic way of appending JSESSIONID; your webapp has to participate. Look at this message for one such technique: http://marc.info/?l=tomcat-user&m=117583468505179&w=2 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
Tomcat Users: I'm working with a current session identity issue between separate browser instances, and have decided that the most plausible solution is to reconfigure tomcat to auto-append the JSESSION ID at the end of each URL. The only problem is, our system administrator cannot seem to dig up this information over the internet. I have not dug deep into the issue, but I trust his judgment, and thought I would send a note to the subscription line to see if anyone is familiar with the server.xml configuration change that needs to occur to enable this feature. I appreciate the assistance and apologize for any inconvenience. Regards, Jonathan
