I don't know how to do it within Tapestry, but generally you can use a
filter to make sure that jsessionid is never set as a secure cookie. I
dug up some old code that does that, I think it works:
public class TomcatUnifiedSessionFilter implements Filter {
public void destroy() {
//
Martijn,
I get the rationale which is why I have other cookies that are marked
as secure; however, the JSESSIONID cookie has a special use by the JSP
server and is used for associating a user with a session so it should
always be passed unsecured just to keep the user associated with the
The rationale for securing the cookies (ie only send them when a https
connection is used) is that if your cookies are not protected you are
vulnarable to cookie hijacking.
See for example:
http://fscked.org/blog/fully-automated-active-https-cookie-hijacking
Perhaps you can override the cookie se
I am having a small problem with JSESSIONID cookie having its secure
property set to TRUE when you initially connect. We have a login page
that is displayed first and uses SSL. After login only certain parts
of the web site use SSL. However, since initial connection to the web
server was wi
