tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Makower <>
Subject Re: IE 5 on Mac is incompatible with TC 4?
Date Fri, 08 Mar 2002 16:12:18 GMT
I've been watching this thread with some interest, because I have had no
difficulty using cookie-based sessions on Tomcat 4.0.1 with Mac OS X and IE.

Judging from the headers you reproduced in your email, it would appear the
Tomcat has been configured in such a way as to treat the session cookie as
secure, which means that it should ONLY be sent over an encrypted
connection.  As a result, the browser will NOT send the cookie over a
regular HTTP session, so if you switch back and forth between regular HTTP
and HTTP/SSL (i.e., "https"), the requests will not use the same session.

In order to maintain sessions across HTTP and HTTPS, we use a non-secure
cookie as the session ID (I think this is the default, anyway).  Once
someone logs in, which we only allow to occur over SSL, we and set a secure
cookie with a randomly-generated value in the response.  After that, we
redirect all traffic that requires a logged-in user to HTTPS, and only treat
them as really logged in if the secure cookie is present, and matches the
value generated by us when they logged in.  This allows us to switch the
browser back and forth between HTTP and HTTPS at will, and only require the
user to log in once per session.

The system described above relies on correct behavior of cookies on the Mac
in IE, and it works for us.  I don't know if any behavior on the Tomcat side
has changed since 4.0.1, but I would tend to doubt it.

Why are you using a secure cookie for the session cookie?  Do you need to?
If so, you can't expect the session to remain intact across HTTP and HTTPS
requests.  Any browser that DOES send a secure cookie over a straight HTTP
request is dangerously out of spec.

On 3/8/02 10:32 AM, "Anders Rundgren" <> wrote:
> Just done!  No cookies are sent from IE which means that TC is likely
> to send something IE 5 Mac does not understand.  "Secure" is an addition that
> TC offer but not IIS.  Secure is though RFCxxxx-compliant so maybe IE 5/mac
> *is* broken.
> -----------
> Date: Fri, 08 Mar 2002 15:00:42 GMT
> Server: Apache/1.3.23 (Unix) mod_ssl/2.8.6 OpenSSL/0.9.6 mod_jk/1.2.0
> EXPIRES: Thu, 01 Jan 1970 00:00:00 GMT
> Set-Cookie: JSESSIONID=7C1F8E3DD950780CA775B3EB3AE74D16;Path=/BuyerASP;Secure
> Connection: close
> Content-Type: text/html
> ---
> Server: Microsoft-IIS/5.0
> Date: Fri, 08 Mar 2002 15:13:12 GMT
> Connection: Keep-Alive
> Content-Length: 1443
> Content-Type: text/html
> Expires: Fri, 08 Mar 2002 15:12:12 GMT
> Cache-control: private

| Dave Makower                        <>             |
|                                           |

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message