From Firefox Live HTTP Headers Set-Cookie: JSESSIONID=B4F06784FE4EAA0A7C9830BBF86D85B4; Path=/inetwork; Secure Location: https://216.94.100.154/inetwork/Start.jsp
Hmmmm. That looks like it is secure My filter is getting this. Cookie0 name= JSESSIONID Cookie0 value= B4F06784FE4EAA0A7C9830BBF86D85B4 Cookie0 isSecure = false Filter code HttpServletRequest httpReq = (HttpServletRequest)req; HttpServletResponse httpResp = (HttpServletResponse)res; System.out.println ("http request is secure = " + httpReq.isSecure()); Cookie[] c ; c = httpReq.getCookies(); if(c != null) { for (int i = 0; i < c.length; i++) { System.out.println(" Cookie" + i + " name= " + c[i].getName()); System.out.println(" Cookie" + i + " value= " + c[i].getValue()); System.out.println(" Cookie" + i + " isSecure=" + c[i].getSecure()); } } JW -----Original Message----- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, October 28, 2009 9:52 AM To: Tomcat Users List Subject: Re: SessionID cookie not secure over SSL On 27/10/2009 22:31, Joe Wallace wrote: > > André Warnier wrote: >> Am I mistaken then to think that since the connection B from IIS to >> Tomcat is not over HTTPS but over AJP, Tomcat has no idea that HTTPS is >> being used ? >> Whatever consequences this has in the context (and which are beyond my >> expertise). > > Andre, > I guess that is the question. > > The filter I have in Tomcat calls request.isSecure(). > This returns true. > > (All requests have been using https) What steps are you taking to ensure this is the case? How are you enforcing HTTPS, are you using a <transport-guarantee>CONFIDENTIAL</transport-guarantee>? Under the general category of asking the obvious, can you clear all existing cookies and then use Firebug/LiveHTTPHeaders in Firefox (or the browser of your choice) to see exactly when the first Set-Cookie header occurs? p > If when tomcat does this. > > if(request.isSecure()) > cookie.setSecure(true); > > A call to cookie.getSecure should return true. > > But the same filter that returns true for request.isSecure() > calls Cookie.getSecure() and it returns false. > > > > Joe > > > > > > > > -----Original Message----- > From: André Warnier [mailto:a...@ice-sa.com] > Sent: Tuesday, October 27, 2009 5:11 PM > To: Tomcat Users List > Subject: Re: SessionID cookie not secure over SSL > > > Joe Wallace wrote: >> >> -----Original Message----- >> From: André Warnier [mailto:a...@ice-sa.com] >> Sent: Tuesday, October 27, 2009 4:48 PM >> To: Tomcat Users List >> Subject: Re: SessionID cookie not secure over SSL >> >> >>> Joe Wallace wrote: >>>> I am using session cookies to track sessions. I am used to Jrun where you >>>> would specifically set the cookie to be sent only over SSL or https. This >>>> was not the>default setting. I want users to connect to my web site using >>>> https then they might click a link on one of my web pages whose protocal >>>> is not secure. What is the>behavior of the JSESSIONID cookie in this >>>> situation. >>>> >>> Joe, >> >>> 1) assuming your setup is >> >>> browsers<--> IIS<--> Tomcat >> A B >> >>> which portion(s) is(/are) using HTTPS ? A ? B ? both ? >> >>> 2) "secure" is an attribute of a cookie, written inside of the cookie by >>> the server creating the cookie in the first place. >>> If set, it has as consequence that a browser will only send it back to >>> the original server with subsequent requests, if these subsequent >>> requests happen over a HTTPS connection. >> >>> In other words, if you set the secure attribute on the JSESSIONID >>> cookie, because for instance your initial request happens over HTTPS, >>> then you switch to a non-HTTPS part of the site, the browser is probably >>> no longer going to send this cookie back to the server. >>> In other words, you will, for practical purposes, "lose your session". >> >>> Not so, gurus ? >> >> Portion A is using IIS. IIS holds the SSL cert. >> I am using AJP 1.3 connector for IIS >> It is defined in the Tomcat Server.xml >> >> <!-- Define an AJP 1.3 Connector on port xxxx --> >> <Connector port="8109" protocol="AJP/1.3" redirectPort="443" >> /> >> > >> Am I mistaken then to think that since the connection B from IIS to >> Tomcat is not over HTTPS but over AJP, Tomcat has no idea that HTTPS is >> being used ? >> Whatever consequences this has in the context (and which are beyond my >> expertise). > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org