Hello, I am interested in using the "secure" attribute of Tomcat connectors for non https/ssl requests. However, the "ssl only" JSESSIONID cookie mechanism currently relies on "request.secure == true" rather than on "request.scheme == https" (1). A confusion on "secure vs. https" seems to come from the fact that "cookie.secure == true" is interpreted by most http clients as "cookie.sslOnly == true". Due to this behavior, I don't see how I can use "connector.secure = true" without "connector.scheme = https".
Could we imagine an evolution of Tomcat to generate secure session cookies if "request.scheme == https" rather than on "request.secure == true" ? I would be very pleased to propose a patch. My usecase is : an application receives requests from both the internet and from other servers of my data center (same trusted zone). The requests coming from the internet may use http or https when internal request use http (for security and CPU consumption reasons). The application's web services require a secure channel (https from the internet or http from the trusted zone). If Tomcat handled secure session cookies on "request.scheme == https" rather than "request.secure == true", I would handle this with three connectors thanks to the nuance between the "secure" and "scheme" attributes of the connectors : - external over http connector : secure = false, scheme = http - external over https/ssl connector : secure = true, scheme = https - internal over http connector : secure = true, scheme = http Today, I handle this in the application wrapping the Http Servlet Request to declare "secure" requests whose remoteAddr matches the 10.* block. Cyrille (1) See http://fisheye6.atlassian.com/browse/tomcat/trunk/java/org/apache/catalina/connector/Request.java?r=HEAD#l2367 (2) web browsers, Apache Commons Http client, etc -- Cyrille Le Clerc cyrille.lecl...@pobox.com clecl...@xebia.fr http://blog.xebia.fr --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
