tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jay Sissom <>
Subject Re: Tomcat MAC IE5 SSL Partial Bug fix
Date Sun, 07 Apr 2002 03:23:57 GMT
I couldn't find any spec for doing this.  I haven't been able to find much
detail information about any version of IE.  I just experimented and found
this worked.  

We have tested this on all current browsers that IU applications should
support (Netscape 6.2, Mozilla 0.9.9, IE 5.0. 5.5, IE 6.0 on Mac,
Windows & Linux).  As you can see, we did not do exhastive testing because
we don't have the facilities to do so. If the tomcat team doesn't want to
use my patch, I fully understand, but the code that is in prod now doesn't
work at all on current versions of IE on the Mac (if you are running SSL).
When we deploy tomcat in our environment, we'll be using this patch until
a better one is found.

Just as a side note, Websphere 4.x works properly in the same situation
because it's JSESSIONID cookie is not sent as a secure cookie if the
session is HTTPS.  I'm not sure if I feel that this is proper, but it
works for us where tomcat doesn't.

I would hope someone can come up with a solution, if mine isn't selected
as the solution.  The way it is, tomcat is broken in this one case.  I'm
not complaining - tomcat is great software.  We'd rather use it than
Websphere in most cases! I just hope that someone can come up with a good
solution to this problem.

By the way, I don't understand the comment below because tomcat only sends
;Secure (or ; Secure) on cookies sent via a HTTPS session and then, you
have to specify sending a secure cookie.  Testing under HTTP shouldn't be
required because tomcat shouldn't send a secure cookie down HTTP.  If it
does, the browser should ignore the cookie based on the cookie spec on
the netscape web site.

I currently don't subsribe to the tomcat-dev list, so if you want to ask
me about something, please make sure to reply to me directly.

I leave it in your very capable hands. :)


On Sat, 6 Apr 2002, Anders Rundgren wrote:

> Hi Jay,
> I noted that you added a blank to create "; Secure" instead of ";Secure".
> I am just curious where you got the background spec. for doing this
> change and if you have verified this with Mac IE 5?
> Well, I'm sure you have!
> BTW, does any browser handle this flag correctly?  I.e. not sending
> secure cookies in non-secure sessions.  It seems that cookie changes
> must be verified with a lot of browsers as we have noted subtle
> differences in old and new Netscapes, IEs, Operas etc.  A real
> nightmare IMHO!
> ====================================================
> Actually I think this patch may not be enough as it is likely to be handled
> differently among browsers.  If somebody want to switich from https to
> http it may work with some browsers only.  I.e. I urge that the Tomcat
> team  makes a configuration setting for this. Several other people have
> indicated that they want to use Tomcat in this [not entitirely recommendable]
> way.  Such a setting may affect other parts of Tomcat as well but that is just
> a guess, as I know practically nothing about the Tomcat inside.  Locating the
> "&Secure" stuff was just a shot in the air [using grep]...
> ====================================================
> Regards
> Anders Rundgren,
> [a most of the time a] happy Tomcat user

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message