approach that
> > is to do pattern matching (10.*) on request.remoteAddr to flag
> > RequestFacade.secure=true if the requests come from my secured network
> > area. This will let request.secure=false if request.scheme=http and
> > thus have non-secure JSESSIONID cookies.
> &g
learly.
> If all this is to complex, I will fall back to another approach that
> is to do pattern matching (10.*) on request.remoteAddr to flag
> RequestFacade.secure=true if the requests come from my secured network
> area. This will let request.secure=false if request.scheme=http and
ecure=false if request.scheme=http and
thus have non-secure JSESSIONID cookies.
I tested with a valve called SecuredRemoteAddressesValve (1) that I
precede of RemoteIpValve (2) to process the x-forwarded-for header to
find the real remoteAddr and this works fine.
Thanks very much for your help,
Cyrille
(1)
>> (non-secure) HTTP connector and still set scheme=https. Do you have some
>> portion of your application that relies on request.getScheme() returning
>> "HTTP"?
>
> My application only checks request.secure=true.
>
> I would like Tomcat to create non-secu
=https. Do you have some
> portion of your application that relies on request.getScheme() returning
> "HTTP"?
My application only checks request.secure=true.
I would like Tomcat to create non-secure JSESSIONID cookies (ie
non-ssl cookies) on the connector with secure=true and s
still set scheme=https. Do you have some
portion of your application that relies on request.getScheme() returning
"HTTP"?
> However, if request.secure=true, whatever is the value of
> request.scheme, Tomcat generates a secure JSESSIONID cookie. My
> problem is that most http clien
ou have a reason to set request.secure=false while request.scheme=https?
I may have not been clear.
My need is the opposite : I want to have request.secure=true but
request.scheme=http.
However, if request.secure=true, whatever is the value of
request.scheme, Tomcat generates a secure JSESSIONID
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cyrille,
On 6/21/2009 6:52 AM, Cyrille Le Clerc wrote:
>I am interested in using the "secure" attribute of Tomcat
> connectors for non https/ssl requests. However, the "ssl only"
> JSESSIONID cookie mechanism currently relies on "request.secure ==
Hello,
My usecase may have not been clear enough :
The "internal over http connector : secure = true, scheme = http"
doesn't behave has I would like for stateful requests because Tomcat
generates a secure JSESSIONID cookie even if the configured scheme is
"http" rather t
Hello,
I am interested in using the "secure" attribute of Tomcat
connectors for non https/ssl requests. However, the "ssl only"
JSESSIONID cookie mechanism currently relies on "request.secure ==
true" rather than on "request.scheme == https" (1). A confusion on
"secure vs. https" seems to co
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
GF,
GF wrote:
|> I believe if your session starts through HTTPS, the cookie will be
|> marked as secure and it won't be sent if the user switches to non-secure
|> HTTP.
|
| Maybe my question is stupid, but, is it possible to browse a site on
| HTTP a
> I believe if your session starts through HTTPS, the cookie will be
> marked as secure and it won't be sent if the user switches to non-secure
> HTTP.
Maybe my question is stupid, but, is it possible to browse a site on
HTTP and having just the JSESSIONID cookie sent on HTTPS to prevent
session s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
GF,
GF wrote:
| can you give me a link about setting up a secure JSessionID cookie? I
| mean to let it pass over HTTPS and not HTTP.
I believe if your session starts through HTTPS, the cookie will be
marked as secure and it won't be sent i
Hello,
can you give me a link about setting up a secure JSessionID cookie? I
mean to let it pass over HTTPS and not HTTP.
Thank you.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED
14 matches
Mail list logo
