需求有轻重缓急,功能有可控不可控。 需求有版本有截止(否则会无休无止),功能不可控变为可控。 集中兵力消灭敌人有生力量,集中优势兵力消灭敌人有生力量。



Does anyone know what changed in the configuration between Tomcat 6 and Tomcat 7 that would cause the JSESSIONID cookie to not be accessible via JavaScript?

Using Tomcat 6:

alert(document.cookie); // JSESSIONID=8675309ABCDEF...

Using Tomcat 7:

alert(document.cookie); // nothing

the answer as follow:

Okay, I found the answer. The useHttpOnly attribute was set to false by default in Tomcat 6, and is true in Tomcat 7. This attribute is set for the <Context> container.

<Context useHttpOnly="false" [...] />

For more information about updating from Tomcat 6 to 7: Migrating from 6.0.x to 7.0.x

I'm not sure why I didn't see that in the docs before, but I've verified that setting this to false does in fact cause Tomcat 7 to revert to the Tomcat 6 behavior.

posted on 2016-01-13 20:57  silentjesse  阅读(5337)  评论(0编辑  收藏  举报