Re: Fix the cookie path with mod_jk

Mon, 18 Apr 2011 18:04:46 -0700 

André,

Thank you for your reply.

> So before I start down that path, I usually have a really good look at /why/ 
I need to do that, and if I cannot cure the
> original disease, rather than the symptom.

Sorry. The point of view is very important but I didn't mention about it.

To be exact, I want to suffix slash "/" to the cookie path.

From) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo
To  ) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo/

My application returns cookie with "Path=/foo" and I think it has security issue
that the browsers send the cookie to all of the directory that name begins with
"/foo". (such as /foobar, /food, etc.)

So I want to know whether the path could be fixed without changing my apps or 
not.

Best regards.

(2011/04/18 19:59), André Warnier wrote:

Yu Kikuchi wrote:

Hello All.

My Environment of Application Server is:
Apache 2.2.3, mod_jk 1.2.30, JBoss 5.0.0GA

I want to rewrite the Path contained in cookies. For example;
From) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo
To ) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/bar


...
Hi.
With Apache httpd's mod_rewrite, mod_proxy, mod_headers, etc.., you can do all 
kinds of manipulations of URLs, headers
and cookies.
But when you start along that path, sooner or later you will find yourself in a 
situation where the next small
requirement conflicts with the ones you had before, and/or your configuration 
becomes really hard to understand and
maintain.
Also, each of these manipulations costs some time, in development and testing, 
and later in the server's CPU time.
So before I start down that path, I usually have a really good look at /why/ I 
need to do that, and if I cannot cure the
original disease, rather than the symptom.
For example, why can the original application not be at "/bar" instead of 
"/foo" ?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to