tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: How do I turn off secure cookies for session IDs?
Date Sat, 24 Jan 2004 01:16:05 GMT
There is no tomcat option to allow the JSESSION cookie be non-secure is the 
cookie was issued during https.

A possible workaround is to try to resend the cookie non-secure. I;ve never 
tried this and don't feel like thinking about the consequences at this second.

Or you can go no a non secure page first to have the session cookie created.

-Tim

Dan Forward wrote:
>   I have a web site that uses SSL on the main page for logging in (to encrypt
> the password) but uses standard HTTP on most pages thereafter. I set a value in
> the session that tells me the user is logged in and that value is checked on
> every page. If the value is not present, the application redirects the user to
> the login page. Oddly, the user has had to log in twice in this scenario. I have
> identified the problem, which I will describe below, but have not found a
> solution. Hopefully there is a configuration setting somewhere that will fix it.
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message