You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kevin Huntly <km...@gmail.com> on 2023/04/13 22:03:18 UTC
Session loss with filter enabled
Hello,
With this filter enabled in Tomcat's web.xml:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
My sessions are being immediately lost. If I comment out the filter,
everythis is fine. What does this filter actually do, and is it required if
the front-end webserver already handles hsts?
________________________________________________
Kevin Huntly
Email: kmhuntly@gmail.com
Cell: 716/424-3311
________________________________________________
-----BEGIN GEEK CODE BLOCK-----
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
G++ e(+) h--- r+++ y+++*
------END GEEK CODE BLOCK------
Re: Session loss with filter enabled
Posted by Kevin Huntly <km...@gmail.com>.
Trying to make a PCI-DSS compliant installation. It looks like this filter
does everything that Apache can do with config files, so I'll leave it out.
________________________________________________
Kevin Huntly
Email: kmhuntly@gmail.com
Cell: 716/424-3311
________________________________________________
-----BEGIN GEEK CODE BLOCK-----
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
G++ e(+) h--- r+++ y+++*
------END GEEK CODE BLOCK------
On Fri, Apr 14, 2023 at 10:21 AM Mark Thomas <ma...@apache.org> wrote:
> On 13/04/2023 23:03, Kevin Huntly wrote:
> > Hello,
> > With this filter enabled in Tomcat's web.xml:
> >
> > <filter>
> > <filter-name>httpHeaderSecurity</filter-name>
> >
> >
> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
> > <async-supported>true</async-supported>
> > </filter>
> >
> > My sessions are being immediately lost. If I comment out the filter,
> > everythis is fine. What does this filter actually do,
>
>
> https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
>
>
> > and is it required if
> > the front-end webserver already handles hsts?
>
> That depends on why you added the filter. What features were you trying
> to enable?
>
> Mark
>
>
> > ________________________________________________
> >
> > Kevin Huntly
> > Email: kmhuntly@gmail.com
> > Cell: 716/424-3311
> > ________________________________________________
> >
> > -----BEGIN GEEK CODE BLOCK-----
> > Version: 1.0
> > GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> > W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> > PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
> > G++ e(+) h--- r+++ y+++*
> > ------END GEEK CODE BLOCK------
> >
>
Re: Session loss with filter enabled
Posted by Mark Thomas <ma...@apache.org>.
On 13/04/2023 23:03, Kevin Huntly wrote:
> Hello,
> With this filter enabled in Tomcat's web.xml:
>
> <filter>
> <filter-name>httpHeaderSecurity</filter-name>
>
> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
> <async-supported>true</async-supported>
> </filter>
>
> My sessions are being immediately lost. If I comment out the filter,
> everythis is fine. What does this filter actually do,
https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
> and is it required if
> the front-end webserver already handles hsts?
That depends on why you added the filter. What features were you trying
to enable?
Mark
> ________________________________________________
>
> Kevin Huntly
> Email: kmhuntly@gmail.com
> Cell: 716/424-3311
> ________________________________________________
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 1.0
> GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
> G++ e(+) h--- r+++ y+++*
> ------END GEEK CODE BLOCK------
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org