On Mon, Jul 21, 2008 at 11:26 AM, TomazM <[EMAIL PROTECTED]> wrote: > On http://ws.apache.org/xmlrpc/advanced.html write "Note, that this means > losing the XmlRpcClients multithreading abilities!" so this is not a good > solution. I wonder why is the limitation in HTTP header, in HTTP RFC there is > no limits of how long is message(maybe attacker will put 2G in header). > > Is there any example or documentation(not API) how you read this cookie on > server side?.
The problem is not the message size or something like that. If you bind a cookie to the XmlRpcClient instance, then the instance contains the details of the current session. For security purposes, you most possibly don't want to share the instance between multiple threads. In the case of Basic Authentication, there is no problem to use a single instance of XmlRpcClient with multiple threads, as the authentication details are bound to the configuration in that case. Jochen -- Look, that's why there's rules, understand? So that you think before you break 'em. -- (Terry Pratchett, Thief of Time)
