> I have a web app where the user logs in and starts an applet
> which uploads a file and then opens a page in the browser. I
> use Java 1.6_16.
>
> When I do this in TC 6.0.13 the session-ID stays the same
> after login. Fine.
> When I do this in TC 7.0.5 the session-ID changes when the
> applet starts to communicate with the server. So the user is
> losing his login and the app is broken.
>
> What feature in TC 7 leads to this problem? The new session
> fixation prevention?
OK, I think I've got it.
Somewhat forces httponly cookies in IE, FF, Chrome. NOT in safari. Same
machine, same java.
After that it seems that that the transfer of cookies between the browser
and the java-plugin does not work anymore.
I do not understand, why httponly is forced, because my web.xml is like
this:
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<http-only>false</http-only>
</cookie-config>
</session-config>
How can I solve this?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
