-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joe,
On 10/27/2009 5:00 PM, Joe Wallace wrote: > I am using session cookies to track sessions. I am used to Jrun > where you would specifically set the cookie to be sent only over SSL > or https. This was not the default setting. I want users to connect > to my web site using https then they might click a link on one of my > web pages whose protocal is not secure. What is the behavior of the > JSESSIONID cookie in this situation. Tomcat will create its JSESSIONID cookie like this in all cases: Cookie cookie = new Cookie("JSESSIONID", sessionId); if(request.isSecure()) cookie.setSecure(true); (Note that the code might not look exactly like this, but it behaves in this way). So, if your session was created during a non-secure request, you'll get a non-secure cookie. The solution? Make all your requests HTTPS. If you have non-secure pages, you'll need to make sure they don't call request.getSession(true) either explicitly or implicitly (say, by forgetting to set session="false" for a JSP). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrnUvIACgkQ9CaO5/Lv0PCVjACfdqIQS8CFhelJtjgOWaoHtBhc 6gAAoIrWzROh0PTIOUYe4Aobnm3YWVtp =mlkD -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org