-----Original Message-----
From: André Warnier [mailto:[email protected]]
Sent: Tuesday, October 27, 2009 4:48 PM
To: Tomcat Users List
Subject: Re: SessionID cookie not secure over SSL
>Joe Wallace wrote:
>> I am using session cookies to track sessions. I am used to Jrun where you
>> would specifically set the cookie to be sent only over SSL or https. This
>> was not the >default setting. I want users to connect to my web site using
>> https then they might click a link on one of my web pages whose protocal is
>> not secure. What is the >behavior of the JSESSIONID cookie in this
>> situation.
>>
>Joe,
>1) assuming your setup is
>browsers <--> IIS <--> Tomcat
A B
>which portion(s) is(/are) using HTTPS ? A ? B ? both ?
>2) "secure" is an attribute of a cookie, written inside of the cookie by
>the server creating the cookie in the first place.
>If set, it has as consequence that a browser will only send it back to
>the original server with subsequent requests, if these subsequent
>requests happen over a HTTPS connection.
>In other words, if you set the secure attribute on the JSESSIONID
>cookie, because for instance your initial request happens over HTTPS,
>then you switch to a non-HTTPS part of the site, the browser is probably
>no longer going to send this cookie back to the server.
>In other words, you will, for practical purposes, "lose your session".
>Not so, gurus ?
Portion A is using IIS. IIS holds the SSL cert.
I am using AJP 1.3 connector for IIS
It is defined in the Tomcat Server.xml
<!-- Define an AJP 1.3 Connector on port xxxx -->
<Connector port="8109" protocol="AJP/1.3" redirectPort="443"
/>
Joe
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
