I think I already tried placing that flag in my context.xml where you suggested, but it didn't work.... I'll try again and let you know. Thanks, Gabriele. ---------------------------------------------------------------------------------- Da: Mark Thomas A: Tomcat Users List Data: 9 febbraio 2011 12.18.15 CET Oggetto: Re: Tomcat7 - Firefox - SWF Upload On 09/02/2011 09:19, Gabriele Bulfon wrote: The conf/context.xml is the default one from Tomcat7 distribution. My webapp context.xml just contains resources definitions such as jdbc pools. Where should I place this " useHttpOnly" flag, if this is the solution? In your app's /META-INF/context.xml change ... to ... My real question is about the jsessionid that is stated to be changed on tomcat7, so maybe swfupload is not able to track the session and run correctly. The reason is that the httpOnly attribute of a cookie prevents the cookie from being available to scripts and applets. This prevents the applet reading the session ID. Setting useHttpOnly="false" stops the httpOnly flag from being added to the cookie and makes it available to scripts and applets. Be aware that disabling the httpOnly attribute on the cookie significantly increases the impact of any XSS vulnerabilities in your web application. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
