Rainer Jung wrote:
André Warnier wrote:
And, again in other words, if this parameter was set to Off, and
Tomcat generated a new session and a JSESSIONID session cookie for
this session, that the cookie would thus not be marked secure ?
Didn't try this. What does your tests say?
Oooh! I may want to try this. I may not have needed to change my app
at all.
If your own knowledge about secure / non secure differs from the one
of httpd (e.g. you use an ssl accelerator in front of httpd) and you
want to present your own idea of secure / non secure via mod_jk to
Tomcat, you can set JkHTTPSIndicator to the name of some httpd
environment variable, and then set the environment variable depending
on details of the request via mod_setenvif or mod_rewrite.
But if you simply want to drop all ssl info, setting JkExtractSSL to
off is right.
Interesting. I'm wondering if my old Apache 1.3.34+ssl & Tomcat 3.2.4
combination involved any knowledge by Tomcat of Apache doing SSL?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
