Hi, Craig R. McClanahan wrote:
On Mon, 21 Oct 2002, Jan Kunzmann wrote:
>>[...]
There is no "running" or "not running" my webapp. The whole site is the webapp, but for some reasons it is splittet in several subdomains. I think I need to drill into Tomcat sources for this, don't I?Is there any way to force Tomcat to create a domainwide JSESSIONID cookie without any context path (just for the whole mysite.com)?Doing this would also be a security vulnerability, because it would mean exposing session ids to clients of your server that are not running that webapp (therefore running the risk of some malicious client hijacking the session without even having to snoop the network to find a valid session id).
Jan
--
To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
