tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: How do I turn off secure cookies for session IDs?
Date Sat, 24 Jan 2004 01:16:05 GMT
There is no tomcat option to allow the JSESSION cookie be non-secure is the 
cookie was issued during https.

A possible workaround is to try to resend the cookie non-secure. I;ve never 
tried this and don't feel like thinking about the consequences at this second.

Or you can go no a non secure page first to have the session cookie created.


Dan Forward wrote:
>   I have a web site that uses SSL on the main page for logging in (to encrypt
> the password) but uses standard HTTP on most pages thereafter. I set a value in
> the session that tells me the user is logged in and that value is checked on
> every page. If the value is not present, the application redirects the user to
> the login page. Oddly, the user has had to log in twice in this scenario. I have
> identified the problem, which I will describe below, but have not found a
> solution. Hopefully there is a configuration setting somewhere that will fix it.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message