-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Wesley,
On 3/29/15 1:15 PM, Wesley Acheson wrote: > A team I am working with use tomcat 7 as their web container. The > application cannot use url session tracking due to compliance > reasons. > > One of the requirements we are facing is that the application > should work in an iframe on the safari web browser, which blocks > all cookies. Do you mean that Safari has been configured to block all cookies? Because Safari won't block cookies just because you are using an <iframe >. > For this purpose I'd like to post some value around that acts as a > session Id. However I'm not sure if this is possible? If you write a Valve (which would be Tomcat-specific, and not work under other servlet containers), you could change the way Tomcat reads session identifiers from the request (and use a request parameter instead of a path parameter). Or you could handle session-management yourself and not use servlet-spec-style session-tracking (which would be WAY more invasive to your application). > *I'm aware that this won't work for common paradigms such as > POST-REDIRECT-GET.* > > Looking at CoyoteAdaptor.java seems to suggest that session Id can > only be retrieved using SSL COOKIE and URL. > > COOKIE is out because of third party issues. URL is out because of > compliance. SSL may be a possiblity but only if it doesn't involve > custom client certificates. > > Is there any good place to hook in a post parameter for retrieving > and reattaching the session? I've not done this before. CoyoteAdapter calls request.setRequestedSessionId in a few places, and I don't believe CoyoteAdapter can be overridden or replaced directly. If you had a Valve that ran before anything else, you might be able to capture the request, read a request parameter, and then call setRequestedSessionId yourself with that replacement value. YMMV - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVGJYFAAoJEBzwKT+lPKRYn8oP/0LIWZKl5Nf/bYdN1BeosGFF 6hLS/mEDZ+XUD/NMpGpTHjoin3+32m7kGKEGCCApQDc4GAUlIwJGzLeLPsGfFaoo QXXyM6XUfpHWmJaEPtAySe0CZ/fwOKvL/DKuuO7UbtjFmNc8Pm/e87p5lmprsaQ1 C+4pfXsV5ltdDO8eZU0ofOHAXA0qkDuizeixwEcG3sXnNqF4Hr7Oq4gF0TKwCAU9 6Hce0NYVY61YY64U0m+dCCsH5a9hMUlu48YGDA9JemKmeNLexR3TrxFC8LT8iqUW jXNygDD7GBfFBhIiYujUo3HwSCNW091OMy6Vb0DhcSOlL11LVpK2+eNLZ1aM3kHI 881Onen2evMjzZ3PcALw2SqN3Cmr8dqMp0YhrJc2jsZ6OXBrYSuSCYCw4A0tDlN7 GTusoqFobmipgXu+sksZh5A6h5uyThVTLikG3CQ72wvTDMzRBh1YrNPc027BLuKN k/KOoBv3Lkyan+pSEbzQCCchB2IQ/CSFHoD8jgfzcHehJ5qB1Mrwo97kwsh1qbvk IjGssbqyDrTmfrKVyl1ypeCi18l7pn9GrTzJwFoNUxmfd+42elwCrRPUdCYYZuR8 9Ne8uYegBwnvRQpDN5RCK73Bqpyi2lgyP10Ph20TvnQ3ACDNbb6247TOTPGnItGr G5g/FyojfAtvlnhe7+r4 =0axs -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org