billbarker 2002/10/30 22:24:59
Modified: src/share/org/apache/tomcat/modules/session SessionId.java
Log:
Disable session sharing when switching from HTTPS to HTTP.
There is a new "secureCookie" attribute that can be set to "false" to continue to
use the old behavior where session sharing is enabled.
The default behavior could be changed, if consistancy is considered to be more
important than security.
Now Craig doesn't have to vote against the 3.3.2 release. ;)
Revision Changes Path
1.21 +13 -0
jakarta-tomcat/src/share/org/apache/tomcat/modules/session/SessionId.java
Index: SessionId.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/session/SessionId.java,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- SessionId.java 22 Aug 2002 06:04:29 -0000 1.20
+++ SessionId.java 31 Oct 2002 06:24:59 -0000 1.21
@@ -97,6 +97,7 @@
boolean cookiesFirst=true;
boolean checkSSLSessionId=false;
boolean ignoreCase=false;
+ boolean secureCookie=true;
public SessionId() {
ignoreCase= (File.separatorChar == '\\');
@@ -124,6 +125,15 @@
return ignoreCase;
}
+ /** Use secure cookies for SSL connections.
+ */
+ public void setSecureCookie(boolean sc) {
+ secureCookie = sc;
+ }
+
+ public boolean getSecureCookie() {
+ return secureCookie;
+ }
/** Extract the session id from the request.
* SessionInterceptor will have to be called _before_ mapper,
@@ -358,6 +368,9 @@
StringBuffer buf = new StringBuffer();
buf.append( "JSESSIONID=" ).append( reqSessionId );
buf.append( ";Path=" ).append( sessionPath );
+ if( secureCookie && rrequest.isSecure() ) {
+ buf.append(";Secure");
+ }
response.addHeader( "Set-Cookie",
buf.toString());
if( debug>0) log( "Setting cookie " + buf );
--
To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>
