> -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Monday, March 30, 2015 10:48 AM > To: Tomcat Users List > Subject: Re: Post Session Id > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Wesley, > > On 3/30/15 3:57 AM, Wesley Acheson wrote: > > On Mon, Mar 30, 2015 at 2:17 AM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Wesley, > > > > On 3/29/15 1:15 PM, Wesley Acheson wrote: > >>>> A team I am working with use tomcat 7 as their web container. > >>>> The application cannot use url session tracking due to > >>>> compliance reasons. > >>>> > >>>> One of the requirements we are facing is that the > >>>> application should work in an iframe on the safari web > >>>> browser, which blocks all cookies. > > > > Do you mean that Safari has been configured to block all cookies? > > Because Safari won't block cookies just because you are using an > > <iframe > >>>> . > > > > > >> Should have said its a third party domain name. That can't change > >> easily. Should have wrote Safari blocks all third party cookies. > > Okay, that explains it. > > Let me ask you... why is a path parameter (;jsessionid=f00) > unacceptable but not a request parameter? Or if it that you want to > have the parameters be in POST-parameters only? > > In terms of forgery and/or capturing session identifiers, there's > really no difference from a security perspective of any of these > strategies. > > - -chris
I may be being a little naïve here, but would the sessionCookieDomain parameter of the <Context> element work for the OP here? Jeff
