You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jeff <je...@tiaxa.net> on 2002/05/07 17:21:55 UTC
Re: SessionMgmt: No Cookies sent - Instead only URL-Rewritting active
I've observed the same phenomenon.
It's just a theory, but I suspect it might have to do with Internet Explorer
6 itself. I think Microsoft quietly changed IE6's default cookie-acceptance
behavior to automatically reject all cookies from sites not meeting its
criteria for auto-acceptance. Taking a wild guess, IE6 might now
automatically reject cookies from sites accessed via IP addresses that don't
resolve to a hostname.
Another possibility: a few years ago, when anti-cookie hysteria was being
fanned by magazines eager to scare naive readers and people were disabling
cookies for stupid reasons (like thinking a "malevolent cookie" could
reformat their hard drive), Microsoft quietly introduced a special anonymous
cookie-in-all-but-name ("session id") that persisted only for the duration
of a single session (I think it even went away if you browsed to another
site or were inactive for more than an hour), but could not be disabled (so
IIS could depend upon its availability and use it to track users from page
to page within the session and match the correct IIS session variables with
the right user). I'm not sure whether Tomcat and other servlet containers
take advantage of it (or whether they'd even be ABLE to without lying to the
browser and pretending to be IIS), but I see two likely scenarios:
1) Tomcat (and other servlet containers) can't/don't use the special
anonymous session ID, and IE6 is now denying session-cookies by default
because something is triggering the behavior (non-resolvable IP, etc.)
2) Tomcat (and other servlet containers) DO use MSIE session IDs when
available, but IE6 now denies even THAT to sites that fail to meet its
criteria for acceptablity (possibly holding sites openly running a server
other than IIS to a higher standard)
>I was using Tomcat 3.2.1 and switched to Catalina 4.0.3 (both on Windows
>2000). Now my browser (IE6.0 on Windows 2000) gets no cookies anymore. It
>seems that the session management ist now handled using URL rewritting and
I
>don't know why.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: SessionMgmt: No Cookies sent - Instead only URL-Rewritting active
Posted by Brandon Cruz <bc...@norvax.com>.
You are right. With IE6, cookies must be accompanied by a privacy policy,
which is a basic xml file. If this policy is not supplied, then IE6 won't
allow tomcat to even set a session cookie.
There is a place at w3c.org where you can answer a bunch of questions and it
will generate the policy for you and tell you how to use it.
Brandon
-----Original Message-----
From: Jeff [mailto:jefflists@tiaxa.net]
Sent: Tuesday, May 07, 2002 10:22 AM
To: Tomcat Users List
Subject: Re: SessionMgmt: No Cookies sent - Instead only URL-Rewritting
active
I've observed the same phenomenon.
It's just a theory, but I suspect it might have to do with Internet Explorer
6 itself. I think Microsoft quietly changed IE6's default cookie-acceptance
behavior to automatically reject all cookies from sites not meeting its
criteria for auto-acceptance. Taking a wild guess, IE6 might now
automatically reject cookies from sites accessed via IP addresses that don't
resolve to a hostname.
Another possibility: a few years ago, when anti-cookie hysteria was being
fanned by magazines eager to scare naive readers and people were disabling
cookies for stupid reasons (like thinking a "malevolent cookie" could
reformat their hard drive), Microsoft quietly introduced a special anonymous
cookie-in-all-but-name ("session id") that persisted only for the duration
of a single session (I think it even went away if you browsed to another
site or were inactive for more than an hour), but could not be disabled (so
IIS could depend upon its availability and use it to track users from page
to page within the session and match the correct IIS session variables with
the right user). I'm not sure whether Tomcat and other servlet containers
take advantage of it (or whether they'd even be ABLE to without lying to the
browser and pretending to be IIS), but I see two likely scenarios:
1) Tomcat (and other servlet containers) can't/don't use the special
anonymous session ID, and IE6 is now denying session-cookies by default
because something is triggering the behavior (non-resolvable IP, etc.)
2) Tomcat (and other servlet containers) DO use MSIE session IDs when
available, but IE6 now denies even THAT to sites that fail to meet its
criteria for acceptablity (possibly holding sites openly running a server
other than IIS to a higher standard)
>I was using Tomcat 3.2.1 and switched to Catalina 4.0.3 (both on Windows
>2000). Now my browser (IE6.0 on Windows 2000) gets no cookies anymore. It
>seems that the session management ist now handled using URL rewritting and
I
>don't know why.
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>