Joe Wallace wrote:
-----Original Message-----
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Tuesday, October 27, 2009 4:48 PM
To: Tomcat Users List
Subject: Re: SessionID cookie not secure over SSL
Joe Wallace wrote:
I am using session cookies to track sessions. I am used to Jrun where you would
specifically set the cookie to be sent only over SSL or https. This was not the
>default setting. I want users to connect to my web site using https then they
might click a link on one of my web pages whose protocal is not secure. What is the
>behavior of the JSESSIONID cookie in this situation.
Joe,
1) assuming your setup is
browsers <--> IIS <--> Tomcat
A B
which portion(s) is(/are) using HTTPS ? A ? B ? both ?
2) "secure" is an attribute of a cookie, written inside of the cookie by
the server creating the cookie in the first place.
If set, it has as consequence that a browser will only send it back to
the original server with subsequent requests, if these subsequent
requests happen over a HTTPS connection.
In other words, if you set the secure attribute on the JSESSIONID
cookie, because for instance your initial request happens over HTTPS,
then you switch to a non-HTTPS part of the site, the browser is probably
no longer going to send this cookie back to the server.
In other words, you will, for practical purposes, "lose your session".
Not so, gurus ?
Portion A is using IIS. IIS holds the SSL cert.
I am using AJP 1.3 connector for IIS
It is defined in the Tomcat Server.xml
<!-- Define an AJP 1.3 Connector on port xxxx -->
<Connector port="8109" protocol="AJP/1.3" redirectPort="443"
/>
Am I mistaken then to think that since the connection B from IIS to
Tomcat is not over HTTPS but over AJP, Tomcat has no idea that HTTPS is
being used ?
Whatever consequences this has in the context (and which are beyond my
expertise).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
