tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 24739] - Control of secure flag when establishing sessions through https using cookies
Date Tue, 25 Nov 2003 00:41:12 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24739>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24739

Control of secure flag when establishing sessions through https using cookies

medthomas@ntlworld.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|Minor                       |Enhancement



------- Additional Comments From medthomas@ntlworld.com  2003-11-25 00:41 -------
Tomcat 4 (and 5) work this way to protect sessions created in SSL from being 
at risk of session hijacking if transferred back to http. That being said, 
there have been a number of requests for this type of functionality on tomcat-
user.

As this is not strictly a bug, I am setting it to an enhancement request. 
Until such time as a patch is written, using something similar to the 
following in your jsp will provide a work-around.

<A HREF="http://localhost:8080/bug24739/display.jsp;jsessionid=<%=session.getId
()%>">display session cookie(http)</A>

Obviously, you will need to 
replace "http://localhost:8080/bug24739/display.jsp" with something 
appropriate to your environment.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message