I am using session cookies to track sessions. I am used to Jrun where you would specifically set the cookie to be sent only over SSL or https. This was not the default setting. I want users to connect to my web site using https then they might click a link on one of my web pages whose protocal is not secure. What is the behavior of the JSESSIONID cookie in this situation.
JW -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, October 27, 2009 3:42 PM To: Tomcat Users List Subject: Re: SessionID cookie not secure over SSL -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joe, (Can you fix your emailer to include thread-ids when replying to the list? Your replies are not properly threaded, here.) On 10/27/2009 4:12 PM, Joe Wallace wrote: > I have a filter that calls > Cookie.getName and > Cookie.getSecure > JSESSIONID returns false even when the connection is always https. > Tomcat version is 6.0.20. If your cookie was created in HTTP mode, then the 'secure' flag will be set to 'false' on that cookie. Are you sure you are always in HTTP mode? Please double-check, and remember that /all JSPs will create a session unless session=false in the @page directive/. To answer your original question: there is no setting in Tomcat to get secure=true on your cookies in SSL mode. Tomcat should /always/ use a secure cookie when the cookie is created in SSL mode. You may have to re-check your <Connector> attributes for the AJP connector. Make sure that secure="true" among others. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrnTQ8ACgkQ9CaO5/Lv0PA/GQCgnPYgzFkWNPP0Ol57BxVg4uX5 YQsAnjGCZMrB4svfzI/S/TL9mhNtjfiv =GZXQ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
