(from mail conversation)
Hi,
with update 20220411 we introduced an improved security management, in which a security-id-cookie is always sent from the client side to ensure that no "man in the line" can hijack into sessions.
There are some situations in which problems are caused by this (e.g. when running cc-pages inside an IFRAME). In this case you can switch off this security-id-management by using the system.xml configuration file:
Code:
<system>
...
<filterconfiguration
active="false"
classname="org.eclnt.jsfserver.util.SecurityFilterGeneral"/>
...
</system>
If using this then still session hi-jacking is prohibited but it is then not based on Cookie-management but on internal sending of corresponding ids.
Please contact us in this case! We are of course interested in collecting information about scenarios in which the "general management" has problems.
Kind regards! Björn