tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Biagi, Bill (Contractor)" <bill_bi...@fanniemae.com>
Subject RE: setting secure cookie in Tomcat 5.0 config
Date Thu, 04 Oct 2007 18:30:25 GMT
I would turn on SSL in Tomcat for the traffic between the load balancers
and the Tomcat servers but it kind of defeats the purpose of using the
dedicated crypto engines in the load balancers.

BB 


This e-mail and its attachments are confidential and solely for the
intended addressee(s). Do not share or use them without Fannie Mae's
approval. If received in error, contact the sender and delete them.


-----Original Message-----
From: Tim Funk [mailto:funkman@joedog.org] 
Sent: Thursday, October 04, 2007 2:13 PM
To: Tomcat Users List
Subject: Re: setting secure cookie in Tomcat 5.0 config

Not really.  The reason is its rather nonsensical for any webserver to 
set a cookie as secure when the request is not secure.

-Tim

Biagi, Bill (Contractor) wrote:
> I've got a set of Cisco load balancers doing the SSL so Tomcat does
not
> know that these sessions are SSL.  My guess is that is why it is not
> being set.  Is there any way to force Tomcat to set the jsessionid
> cookie to secure?
> 
> BB 
> 
> 
> This e-mail and its attachments are confidential and solely for the
> intended addressee(s). Do not share or use them without Fannie Mae's
> approval. If received in error, contact the sender and delete them.
> 
> 
> -----Original Message-----
> From: Tim Funk [mailto:funkman@joedog.org] 
> Sent: Thursday, October 04, 2007 1:38 PM
> To: Tomcat Users List
> Subject: Re: setting secure cookie in Tomcat 5.0 config
> 
> You'll need to install fiddler to sniff when the cookie is being set.
If
> 
>   the request is SSL and during that request, the JSESSIONID cookie is

> created - it will be SSL. So either the cookie is being set some other

> time, or IE is lying that the cookie is secure. (Or something else)
> 
> -Tim
> 
> Biagi, Bill (Contractor) wrote:
>> The session is SSL and according to IE the jsessionid cookie is not
>> secure.
>>
>> BB
>>
>>  
>>
>>
>> This e-mail and its attachments are confidential and solely for the
>> intended addressee(s). Do not share or use them without Fannie Mae's
>> approval. If received in error, contact the sender and delete them.
>>
>>
>> -----Original Message-----
>> From: Tim Funk [mailto:funkman@joedog.org] 
>> Sent: Thursday, October 04, 2007 1:14 PM
>> To: Tomcat Users List
>> Subject: Re: setting secure cookie in Tomcat 5.0 config
>>
>> If you are talking about the JSESSIONID cookie - if the session is 
>> created while your are using SSL  - the secure flag is set for you. 
>> Nothing to configure.
>>
>> -Tim
>>
>> Biagi, Bill (Contractor) wrote:
>>> How do you set Tomcat 5.0 to use secure cookies on an SSL session.
>> Back
>>> in 3.3 it was an attribute in server.xml of the SessionId module
>> element
>>> called secureCookie. Setting it to true used to mark the session id
>>> cookie as "secure" if the session was established over SSL.
> 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message