On 09/02/2011 09:19, Gabriele Bulfon wrote: > The conf/context.xml is the default one from Tomcat7 distribution. > My webapp context.xml just contains resources definitions such as jdbc pools. > Where should I place this " > useHttpOnly" > flag, if this is the solution?
In your app's /META-INF/context.xml change <Context> ... </Context> to <Context useHttpOnly="false"> ... </Context> > My real question is about the jsessionid that is stated to be changed on > tomcat7, > so maybe swfupload is not able to track the session and run correctly. The reason is that the httpOnly attribute of a cookie prevents the cookie from being available to scripts and applets. This prevents the applet reading the session ID. Setting useHttpOnly="false" stops the httpOnly flag from being added to the cookie and makes it available to scripts and applets. Be aware that disabling the httpOnly attribute on the cookie significantly increases the impact of any XSS vulnerabilities in your web application. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
