You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "J.Gustafsson" <jo...@diabol.se> on 2007/11/22 23:05:09 UTC
Cross-domain calls when third-party cookies are not allowed
Hi,
I have an interesting problem (I think) that I wonder if someone could
assist me with.
I want to do cross-domain scripting. I have some java-script that makes a
cross-domain http request to a Tomcat server. This works fine as long as
third-party cookies are allowed in the browser. Tomcat can keep track of the
session by the jsessionId. If cookies are not allowed at all in the browser,
I simple let the java-script decide to not make a cross-domain call at all.
Those are not interesting for my application. My problems appear when first
part cookies are allowed, but third-party is not (the default settings in
IE7 I think). The java-script will think that cookies are allowed and make
the cross-domain http call. Since third party cookies are not allowed,
Tomcat is not allowed to set a jsessionId on a cookie, but instead add the
jsessionId on the URL.
This is unfortunately not good enough for me. When third-party cookies are
allowed, my java-script provides a first-part cookie in the cross-domain
http call. I use this value to identify the user, and set it on the session
created by Tomcat. If however Tomcat cannot set cookies, since third-party
cookie is not allowed, I simply cannot do like this.
So what do I actually want to achieve?
I would like Tomcat to bypass its "sanity" check when URL-rewrite is done. I
want Tomcat to create a session with a key (jsessionId) I provides it with.
Does this sound totally insane? Maybe it is. Perhaps there is another
solution I have not thought of?
I know there is another solution, running Tomcat session-less and write to a
file/db for each call, but because of performance reasons, I would like to
avoid this.
Any ideas/proposals?
/jonas
--
View this message in context: http://www.nabble.com/Cross-domain-calls-when-third-party-cookies-are-not-allowed-tf4858744.html#a13904100
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Cross-domain calls when third-party cookies are not allowed
Posted by "J.Gustafsson" <jo...@diabol.se>.
Hi,
Tnx for your feedback.
What I have understood, the P3P policy file is kind of "dead" since the lack
of support from the browser implementers ( from www.w3c.org: "The P3P
Specification Working Group took this step as there was insufficient support
from current Browser implementers for the implementation of P3P 1.1" ).
Is this correct?
regards,
/jonas
Leon Rosenberg-3 wrote:
>
> I believe if you set the p3p policy correctly (in your tomcat) ie7
> will accept the third party cookies.
>
> regards
> Leon
>
> On Nov 22, 2007 11:05 PM, J.Gustafsson <jo...@diabol.se> wrote:
>>
>> Hi,
>> I have an interesting problem (I think) that I wonder if someone could
>> assist me with.
>>
>> I want to do cross-domain scripting. I have some java-script that makes a
>> cross-domain http request to a Tomcat server. This works fine as long as
>> third-party cookies are allowed in the browser. Tomcat can keep track of
>> the
>> session by the jsessionId. If cookies are not allowed at all in the
>> browser,
>> I simple let the java-script decide to not make a cross-domain call at
>> all.
>> Those are not interesting for my application. My problems appear when
>> first
>> part cookies are allowed, but third-party is not (the default settings in
>> IE7 I think). The java-script will think that cookies are allowed and
>> make
>> the cross-domain http call. Since third party cookies are not allowed,
>> Tomcat is not allowed to set a jsessionId on a cookie, but instead add
>> the
>> jsessionId on the URL.
>>
>> This is unfortunately not good enough for me. When third-party cookies
>> are
>> allowed, my java-script provides a first-part cookie in the cross-domain
>> http call. I use this value to identify the user, and set it on the
>> session
>> created by Tomcat. If however Tomcat cannot set cookies, since
>> third-party
>> cookie is not allowed, I simply cannot do like this.
>>
>> So what do I actually want to achieve?
>> I would like Tomcat to bypass its "sanity" check when URL-rewrite is
>> done. I
>> want Tomcat to create a session with a key (jsessionId) I provides it
>> with.
>> Does this sound totally insane? Maybe it is. Perhaps there is another
>> solution I have not thought of?
>>
>> I know there is another solution, running Tomcat session-less and write
>> to a
>> file/db for each call, but because of performance reasons, I would like
>> to
>> avoid this.
>>
>> Any ideas/proposals?
>>
>> /jonas
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Cross-domain-calls-when-third-party-cookies-are-not-allowed-tf4858744.html#a13904100
>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Cross-domain-calls-when-third-party-cookies-are-not-allowed-tf4858744.html#a13995129
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Cross-domain calls when third-party cookies are not allowed
Posted by Martin Gainty <mg...@hotmail.com>.
Jonas-
Many larger organisations are starting to discourage reading/writing cookies as it allows one to introduce Cross Domain Security breaches as well as storing potential viruses
Have you looked at a strategy of url-rewrite or sending all information to the server including <j>sessionid?
http://httpd.apache.org/docs/2.0/misc/rewriteguide.html
?Martin______________________________________________Disclaimer and confidentiality noteEverything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission.> Date: Sun, 25 Nov 2007 17:10:50 +0100> From: rosenberg.leon@googlemail.com> To: users@tomcat.apache.org> Subject: Re: Cross-domain calls when third-party cookies are not allowed> > I believe if you set the p3p policy correctly (in your tomcat) ie7> will accept the third party cookies.> > regards> Leon> > On Nov 22, 2007 11:05 PM, J.Gustafsson <jo...@diabol.se> wrote:> >> > Hi,> > I have an interesting problem (I think) that I wonder if someone could> > assist me with.> >> > I want to do cross-domain scripting. I have some java-script that makes a> > cross-domain http request to a Tomcat server. This works fine as long as> > third-party cookies are allowed in the browser. Tomcat can keep track of the> > session by the jsessionId. If cookies are not allowed at all in the browser,> > I simple let the java-script decide to not make a cross-domain call at all.> > Those are not interesting for my application. My problems appear when first> > part cookies are allowed, but third-party is not (the default settings in> > IE7 I think). The java-script will think that cookies are allowed and make> > the cross-domain http call. Since third party cookies are not allowed,> > Tomcat is not allowed to set a jsessionId on a cookie, but instead add the> > jsessionId on the URL.> >> > This is unfortunately not good enough for me. When third-party cookies are> > allowed, my java-script provides a first-part cookie in the cross-domain> > http call. I use this value to identify the user, and set it on the session> > created by Tomcat. If however Tomcat cannot set cookies, since third-party> > cookie is not allowed, I simply cannot do like this.> >> > So what do I actually want to achieve?> > I would like Tomcat to bypass its "sanity" check when URL-rewrite is done. I> > want Tomcat to create a session with a key (jsessionId) I provides it with.> > Does this sound totally insane? Maybe it is. Perhaps there is another> > solution I have not thought of?> >> > I know there is another solution, running Tomcat session-less and write to a> > file/db for each call, but because of performance reasons, I would like to> > avoid this.> >> > Any ideas/proposals?> >> > /jonas> >> > --> > View this message in context: http://www.nabble.com/Cross-domain-calls-when-third-party-cookies-are-not-allowed-tf4858744.html#a13904100> > Sent from the Tomcat - User mailing list archive at Nabble.com.> >> >> > ---------------------------------------------------------------------> > To start a new topic, e-mail: users@tomcat.apache.org> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> > For additional commands, e-mail: users-help@tomcat.apache.org> >> >> > ---------------------------------------------------------------------> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
You keep typing, we keep giving. Download Messenger and join the i’m Initiative now.
http://im.live.com/messenger/im/home/?source=TAGLM
Re: Cross-domain calls when third-party cookies are not allowed
Posted by Leon Rosenberg <ro...@googlemail.com>.
I believe if you set the p3p policy correctly (in your tomcat) ie7
will accept the third party cookies.
regards
Leon
On Nov 22, 2007 11:05 PM, J.Gustafsson <jo...@diabol.se> wrote:
>
> Hi,
> I have an interesting problem (I think) that I wonder if someone could
> assist me with.
>
> I want to do cross-domain scripting. I have some java-script that makes a
> cross-domain http request to a Tomcat server. This works fine as long as
> third-party cookies are allowed in the browser. Tomcat can keep track of the
> session by the jsessionId. If cookies are not allowed at all in the browser,
> I simple let the java-script decide to not make a cross-domain call at all.
> Those are not interesting for my application. My problems appear when first
> part cookies are allowed, but third-party is not (the default settings in
> IE7 I think). The java-script will think that cookies are allowed and make
> the cross-domain http call. Since third party cookies are not allowed,
> Tomcat is not allowed to set a jsessionId on a cookie, but instead add the
> jsessionId on the URL.
>
> This is unfortunately not good enough for me. When third-party cookies are
> allowed, my java-script provides a first-part cookie in the cross-domain
> http call. I use this value to identify the user, and set it on the session
> created by Tomcat. If however Tomcat cannot set cookies, since third-party
> cookie is not allowed, I simply cannot do like this.
>
> So what do I actually want to achieve?
> I would like Tomcat to bypass its "sanity" check when URL-rewrite is done. I
> want Tomcat to create a session with a key (jsessionId) I provides it with.
> Does this sound totally insane? Maybe it is. Perhaps there is another
> solution I have not thought of?
>
> I know there is another solution, running Tomcat session-less and write to a
> file/db for each call, but because of performance reasons, I would like to
> avoid this.
>
> Any ideas/proposals?
>
> /jonas
>
> --
> View this message in context: http://www.nabble.com/Cross-domain-calls-when-third-party-cookies-are-not-allowed-tf4858744.html#a13904100
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org