-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joe,
On 10/27/2009 5:00 PM, Joe Wallace wrote:
> I am using session cookies to track sessions. I am used to Jrun
> where you would specifically set the cookie to be sent only over SSL
> or https. This was not the default setting. I want users to connect
> to my web site using https then they might click a link on one of my
> web pages whose protocal is not secure. What is the behavior of the
> JSESSIONID cookie in this situation.
Tomcat will create its JSESSIONID cookie like this in all cases:
Cookie cookie = new Cookie("JSESSIONID", sessionId);
if(request.isSecure())
cookie.setSecure(true);
(Note that the code might not look exactly like this, but it behaves in
this way).
So, if your session was created during a non-secure request, you'll get
a non-secure cookie. The solution? Make all your requests HTTPS. If you
have non-secure pages, you'll need to make sure they don't call
request.getSession(true) either explicitly or implicitly (say, by
forgetting to set session="false" for a JSP).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrnUvIACgkQ9CaO5/Lv0PCVjACfdqIQS8CFhelJtjgOWaoHtBhc
6gAAoIrWzROh0PTIOUYe4Aobnm3YWVtp
=mlkD
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
