| Note |
|---|
|
Windows
- Download the latest available version of Tomcat. You can use the .exe version, which installs Tomcat as a service or the .zip archive. (Tomcat 7 is the most preferred )
- Execute the file and install running the default settings
- Accept the license agreement
...
| Code Block |
|---|
sudo service tomcat7 start sudo service tomcat7 stop sudo service tomcat7 restart |
Security Enhancements
In newest versions of Tomcat(> version 7), by default HttpOnly flag will be set by the server. But in older versions of Tomcat, it needs to set this flag through a configuration. The HttpOnly flag is an additional flag that is used to prevent an XSS (Cross-Site Scripting) exploit from taking access to the session cookie. Because one of the most known ways of subjecting to an XSS attack is access to the session cookie, and to subsequently hijack the victim’s session, the HttpOnly flag is a useful prevention mechanism where a client side script won't be able to access the session cookie from. To add the HttpOnly flag to session cookies in older versions of Tomcat, you need to edit the <TOMCAT_HOME>/conf/context.xml to add useHttpOnly="true" attribute as below:
Code Block <Context useHttpOnly="true"> <Manager pathname="" /> <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" /> </Context>