tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Question on Tomcat 4
Date Wed, 26 Nov 2003 19:55:25 GMT
The "secureCookie" attribute was added to 3.3.2 only to allow backwards
compatibility with 3.3.1.  Like Tomcat 4 and higher, the default is 'true'.
It's a pretty small patch:
http://cvs.apache.org/viewcvs/jakarta-tomcat/src/share/org/apache/tomcat/mod
ules/session/SessionId.java.diff?r1=1.20&r2=1.21

if you just want to add the feature to 3.3.1.  Like Yoav said, TC 4 and
higher always uses secure cookies.

----- Original Message -----
From: "Shapira, Yoav" <Yoav.Shapira@mpi.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Wednesday, November 26, 2003 8:37 AM
Subject: RE: Question on Tomcat 4



Howdy,
Tomcat 4 and later are so different from 3.x.  I suggest you do the
migration, if only for the speed and feature increases.  I don't think
there's an "attribute" called "secureCookie" in tomcat4, as there is no
"un-secure" mode.  Perhaps a tomcat 3 guru like Senor Barker can fill in
more information...

Yoav Shapira
Millennium ChemInformatics


>-----Original Message-----
>From: Eduardo Campoy [mailto:ecampoy@novell.com]
>Sent: Wednesday, November 26, 2003 11:33 AM
>To: tomcat-dev@jakarta.apache.org
>Cc: Jason Rivard
>Subject: Question on Tomcat 4
>
>Hello,
>
>I am using Tomcat 3.3.1 with Internet Web Application and after doing a
>ETHICAL HACKING TEST, they discovered a problem in Tomcat session
cookie
>(JSESSIONID).
>After reading Tomcat 3.3.2 manual , there is a atribute called
>"secureCookie" that resolve my issue. BUT tomcat 3.3.2 is not released
>yet.
>My question is "Does this atribute called "secureCookie" exist in
>TOMCAT 4 ?"
>
>Thanks in advanced
>
>
>
>Eduardo Campoy
>Technology Account Manager
>Novell, THE leading provider of net business solutions
>Tel - 55 11 3345-3938
>Cel - 55 11 9232-7456
>AIM - ecampoy sao
>MSN - eduardocampoy@hotmail.com




This e-mail, including any attachments, is a confidential business
communication, and may contain information that is confidential, proprietary
and/or privileged.  This e-mail is intended only for the individual(s) to
whom it is addressed, and may not be saved, copied, printed, disclosed or
used by anyone else.  If you are not the(an) intended recipient, please
immediately delete this e-mail from your computer system and notify the
sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org



Mime
View raw message