You are right. With IE6, cookies must be accompanied by a privacy policy, which is a basic xml file. If this policy is not supplied, then IE6 won't allow tomcat to even set a session cookie.
There is a place at w3c.org where you can answer a bunch of questions and it will generate the policy for you and tell you how to use it. Brandon -----Original Message----- From: Jeff [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 10:22 AM To: Tomcat Users List Subject: Re: SessionMgmt: No Cookies sent - Instead only URL-Rewritting active I've observed the same phenomenon. It's just a theory, but I suspect it might have to do with Internet Explorer 6 itself. I think Microsoft quietly changed IE6's default cookie-acceptance behavior to automatically reject all cookies from sites not meeting its criteria for auto-acceptance. Taking a wild guess, IE6 might now automatically reject cookies from sites accessed via IP addresses that don't resolve to a hostname. Another possibility: a few years ago, when anti-cookie hysteria was being fanned by magazines eager to scare naive readers and people were disabling cookies for stupid reasons (like thinking a "malevolent cookie" could reformat their hard drive), Microsoft quietly introduced a special anonymous cookie-in-all-but-name ("session id") that persisted only for the duration of a single session (I think it even went away if you browsed to another site or were inactive for more than an hour), but could not be disabled (so IIS could depend upon its availability and use it to track users from page to page within the session and match the correct IIS session variables with the right user). I'm not sure whether Tomcat and other servlet containers take advantage of it (or whether they'd even be ABLE to without lying to the browser and pretending to be IIS), but I see two likely scenarios: 1) Tomcat (and other servlet containers) can't/don't use the special anonymous session ID, and IE6 is now denying session-cookies by default because something is triggering the behavior (non-resolvable IP, etc.) 2) Tomcat (and other servlet containers) DO use MSIE session IDs when available, but IE6 now denies even THAT to sites that fail to meet its criteria for acceptablity (possibly holding sites openly running a server other than IIS to a higher standard) >I was using Tomcat 3.2.1 and switched to Catalina 4.0.3 (both on Windows >2000). Now my browser (IE6.0 on Windows 2000) gets no cookies anymore. It >seems that the session management ist now handled using URL rewritting and I >don't know why. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
