On 3/5/2014 2:28 PM, Konstantin Kolinko wrote:
The HttpOnly flag is used by cookies sent by server to the client. There is no point checking it on request.getCookies(), as browsers do not send it back (neither do they send 'path', 'secure' etc.).
1. Isn't that what gets sent from the server to the client? 2. Why did it work when going direct without the load balancer? 3. Why did it sometimes work with IE even with the load balancer? 4. Why did it still fail when I reverted to Tomcat 6? 5. Why did it work before this release when we had TLS 1.1/1.2 enabled in the client JCP? Note that the load balancer is doing all of the SSL and sending plain HTTP to httpd which is in turn talking AJP to Tomcat. While our httpd does support HTTPS 6. New data point from last night: One of our support people uninstalled Firefox and Chrome and the JRE from his Windows 8 laptop and then reinstalled all of them. All of them worked after that through the load balancer on his laptop. That was before the changes that we made to the applet this morning for the cookie. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
