I couldn't find any spec for doing this. I haven't been able to find much detail information about any version of IE. I just experimented and found this worked.
We have tested this on all current browsers that IU applications should support (Netscape 6.2, Mozilla 0.9.9, IE 5.0. 5.5, IE 6.0 on Mac, Windows & Linux). As you can see, we did not do exhastive testing because we don't have the facilities to do so. If the tomcat team doesn't want to use my patch, I fully understand, but the code that is in prod now doesn't work at all on current versions of IE on the Mac (if you are running SSL). When we deploy tomcat in our environment, we'll be using this patch until a better one is found. Just as a side note, Websphere 4.x works properly in the same situation because it's JSESSIONID cookie is not sent as a secure cookie if the session is HTTPS. I'm not sure if I feel that this is proper, but it works for us where tomcat doesn't. I would hope someone can come up with a solution, if mine isn't selected as the solution. The way it is, tomcat is broken in this one case. I'm not complaining - tomcat is great software. We'd rather use it than Websphere in most cases! I just hope that someone can come up with a good solution to this problem. By the way, I don't understand the comment below because tomcat only sends ;Secure (or ; Secure) on cookies sent via a HTTPS session and then, you have to specify sending a secure cookie. Testing under HTTP shouldn't be required because tomcat shouldn't send a secure cookie down HTTP. If it does, the browser should ignore the cookie based on the cookie spec on the netscape web site. I currently don't subsribe to the tomcat-dev list, so if you want to ask me about something, please make sure to reply to me directly. I leave it in your very capable hands. :) Thanks Jay On Sat, 6 Apr 2002, Anders Rundgren wrote: > Hi Jay, > > http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6983 > > I noted that you added a blank to create "; Secure" instead of ";Secure". > I am just curious where you got the background spec. for doing this > change and if you have verified this with Mac IE 5? > > Well, I'm sure you have! > > BTW, does any browser handle this flag correctly? I.e. not sending > secure cookies in non-secure sessions. It seems that cookie changes > must be verified with a lot of browsers as we have noted subtle > differences in old and new Netscapes, IEs, Operas etc. A real > nightmare IMHO! > > ==================================================== > Actually I think this patch may not be enough as it is likely to be handled > differently among browsers. If somebody want to switich from https to > http it may work with some browsers only. I.e. I urge that the Tomcat > team makes a configuration setting for this. Several other people have > indicated that they want to use Tomcat in this [not entitirely recommendable] > way. Such a setting may affect other parts of Tomcat as well but that is just > a guess, as I know practically nothing about the Tomcat inside. Locating the > "&Secure" stuff was just a shot in the air [using grep]... > ==================================================== > > Regards > Anders Rundgren, > [a most of the time a] happy Tomcat user > > > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
