helping a colleague from another team on one issue.
basically, this is the problem. From accounts application (java EE web application), there is a hyperlink for a Infoview.jsp.
This Infoview.jsp does is, to add cookies to the client browser, and use these cookies for single-sign-on. So user-id, for example has been put into these cookie. Then immediately, it would redirect to another connectiv.jsp, which would simply check the cookie value and verify where to proceed.
This connectiv.jsp, is on another web application on another server.
Okie, so such settings, it has been working well before. Then now, they try to upgrade, from tomcat 5.1 to 5.5, Jboss upgrade also, and on another server. Then problem arises, when click the hyperlink for infoview.jsp, instead of launching the other application, it would ask for user name and credential.
They are thinking maybe tomcat 5.5 and 5.1 architect changes.. Err…
after some checking, it’s most likely XSS again. because they shift the accounts application to another server. And when used, they use the cname of this server. However, which this infoview.jsp, try to add cookie, it’s adding cookie to the full name domain. so for browser, it seems like it’s “cross site scripting”. The browser is requesting for infoview.jsp on server A, however, this jsp then try to set up cookie for domain B.
Which is insecure!!! Don’t blame the browser, that’s what it can do in nowadays. And even if it try to do more, you would blame it for the slow response.
And also, there are some cache problems. Need to remove the xxx_jsp.java, and xxx_jsp.class.