tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 47554] o.a.c.h.s.JvmRouteBinderValve doesn't set HttpOnly flag to session Cookie.
Date Mon, 27 Jul 2009 09:57:57 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=47554





--- Comment #3 from Keiichi Fujino <fujino.keiichi@oss.ntt.co.jp>  2009-07-27 02:57:54
PST ---
I reproduced this case. 

[configuration]
Clustering by TomcatA and TomcatB
Both TomcatA and TomcatB set <Context useHttpOnly="true" />.
Both TomcatA and TomcatB set JvmRouteBinderValve. 
[Test]
accesses TomcatA. (create session.)
accesses TomcatB. (session id is changed by JvmRouteBinderValve. )

At the above test, value of the Set-Cookie header was acquired by using
RequestDumperValve.
It is as follows. 

[Before changing session ID]
...
Jul 27, 2009 6:39:55 PM org.apache.catalina.valves.RequestDumperValve invoke
INFO:            
header=Set-Cookie=JSESSIONID=327B246DA102027AB0860AE512169236.ajp13w;
Path=/test; HttpOnly
...

This means HttpOnly is set.


[After changing session ID by JvmRouteBinderValve]
...
Jul 27, 2009 6:40:05 PM org.apache.catalina.valves.RequestDumperValve invoke
INFO:            
header=Set-Cookie=JSESSIONID=327B246DA102027AB0860AE512169236.ajp13w2;
Path=/test
...

This means HttpOnly is not set.

Therefore,
When session ID is changed by JvmRouteBinderValve, HttpOnly is not set to the
Set-Cookie header. 

Best Regards.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message