On 27/10/2009 22:31, Joe Wallace wrote:
André Warnier wrote:
Am I mistaken then to think that since the connection B from IIS to
Tomcat is not over HTTPS but over AJP, Tomcat has no idea that HTTPS is
being used ?
Whatever consequences this has in the context (and which are beyond my
expertise).
Andre,
I guess that is the question.
The filter I have in Tomcat calls request.isSecure().
This returns true.
(All requests have been using https)
What steps are you taking to ensure this is the case?
How are you enforcing HTTPS, are you using a
<transport-guarantee>CONFIDENTIAL</transport-guarantee>?
Under the general category of asking the obvious, can you clear all
existing cookies and then use Firebug/LiveHTTPHeaders in Firefox (or the
browser of your choice) to see exactly when the first Set-Cookie header
occurs?
p
If when tomcat does this.
if(request.isSecure())
cookie.setSecure(true);
A call to cookie.getSecure should return true.
But the same filter that returns true for request.isSecure()
calls Cookie.getSecure() and it returns false.
Joe
-----Original Message-----
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Tuesday, October 27, 2009 5:11 PM
To: Tomcat Users List
Subject: Re: SessionID cookie not secure over SSL
Joe Wallace wrote:
-----Original Message-----
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Tuesday, October 27, 2009 4:48 PM
To: Tomcat Users List
Subject: Re: SessionID cookie not secure over SSL
Joe Wallace wrote:
I am using session cookies to track sessions. I am used to Jrun where you would
specifically set the cookie to be sent only over SSL or https. This was not
the>default setting. I want users to connect to my web site using https then they
might click a link on one of my web pages whose protocal is not secure. What is
the>behavior of the JSESSIONID cookie in this situation.
Joe,
1) assuming your setup is
browsers<--> IIS<--> Tomcat
A B
which portion(s) is(/are) using HTTPS ? A ? B ? both ?
2) "secure" is an attribute of a cookie, written inside of the cookie by
the server creating the cookie in the first place.
If set, it has as consequence that a browser will only send it back to
the original server with subsequent requests, if these subsequent
requests happen over a HTTPS connection.
In other words, if you set the secure attribute on the JSESSIONID
cookie, because for instance your initial request happens over HTTPS,
then you switch to a non-HTTPS part of the site, the browser is probably
no longer going to send this cookie back to the server.
In other words, you will, for practical purposes, "lose your session".
Not so, gurus ?
Portion A is using IIS. IIS holds the SSL cert.
I am using AJP 1.3 connector for IIS
It is defined in the Tomcat Server.xml
<!-- Define an AJP 1.3 Connector on port xxxx -->
<Connector port="8109" protocol="AJP/1.3" redirectPort="443"
/>
Am I mistaken then to think that since the connection B from IIS to
Tomcat is not over HTTPS but over AJP, Tomcat has no idea that HTTPS is
being used ?
Whatever consequences this has in the context (and which are beyond my
expertise).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
