On Mon, 21 Oct 2002, Jan Kunzmann wrote:
> Date: Mon, 21 Oct 2002 20:41:37 +0200 > From: Jan Kunzmann <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Domainwide JSESSIONID cookie? > > Greetings! > > > I need to share Tomcat sessions between virtual hosts in different > subdomains on my domain, eg www.mysite.com and user.mysite.com. > > But according to the servlet specs, tomcat stores the session cookie > with full host name and context path. So I get a cookie for > www.mysite.com/servlet and another cookie for user.mysite.com/servlet. > > Is there any way to force Tomcat to create a domainwide JSESSIONID > cookie without any context path (just for the whole mysite.com)? > You can certainly do this for your own cookies, but it would violate the servlet spec requirements to make session id cookies work like this -- sessions are defined to be specific to individual webapps. Doing this would also be a security vulnerability, because it would mean exposing session ids to clients of your server that are not running that webapp (therefore running the risk of some malicious client hijacking the session without even having to snoop the network to find a valid session id). > Thanks in advance, > Jan Craig -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
