RE: SessionID cookie not secure over SSL

Tue, 27 Oct 2009 13:34:39 -0700 

Hi Chris,
You wrote:
>Tomcat will create its JSESSIONID cookie like this in all cases:

>Cookie cookie = new Cookie("JSESSIONID", sessionId);
>if(request.isSecure())
>  cookie.setSecure(true);

My filter calls HttpServletRequest.isSecure() which returns true
It then calls Cookie.getSecure() for the JSESSIONID cookie which returns false. 

I am expecting this to return true since all connections have been over https.
Or should I be looking elswhere?


JW

 

-----Original Message-----
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Tuesday, October 27, 2009 4:07 PM
To: Tomcat Users List
Subject: Re: SessionID cookie not secure over SSL


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe,

On 10/27/2009 5:00 PM, Joe Wallace wrote:
> I am using session cookies to track sessions.  I am used to Jrun
> where you would specifically set the cookie to be sent only over SSL
> or https.  This was not the default setting.  I want users to connect
> to my web site using https then they might click a link on one of my
> web pages whose protocal is not secure.  What is the behavior of the
> JSESSIONID cookie in this situation.

Tomcat will create its JSESSIONID cookie like this in all cases:

Cookie cookie = new Cookie("JSESSIONID", sessionId);
if(request.isSecure())
  cookie.setSecure(true);

(Note that the code might not look exactly like this, but it behaves in
this way).

So, if your session was created during a non-secure request, you'll get
a non-secure cookie. The solution? Make all your requests HTTPS. If you
have non-secure pages, you'll need to make sure they don't call
request.getSession(true) either explicitly or implicitly (say, by
forgetting to set session="false" for a JSP).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrnUvIACgkQ9CaO5/Lv0PCVjACfdqIQS8CFhelJtjgOWaoHtBhc
6gAAoIrWzROh0PTIOUYe4Aobnm3YWVtp
=mlkD
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to