tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
Date Fri, 13 Jun 2008 17:08:54 GMT


Bill Davidson wrote:
> Rainer Jung wrote:
>> André Warnier wrote:
>>> And, again in other words, if this parameter was set to Off, and 
>>> Tomcat generated a new session and a JSESSIONID session cookie for 
>>> this session, that the cookie would thus not be marked secure ?
>>
>> Didn't try this. What does your tests say?
> 
> Oooh!  I may want to try this.  I may not have needed to change my app 
> at all.
> 
Yep, I thought you might be interested.
But had this come up sooner, it would have deprived us of a lot of 
interesting information.

By the way, the reason why I can't try it right now is that I just don't 
have the application to try it with.  So whatever I mentioned before 
(but which apprently so far seems ok) was purely by attempting to 
understand the documentation. Beware.

And by the way, I do not know who's in charge of that, but should this 
all turn out to be true, I think that a small addendum in the 
"JkExtractSSL" item of the page 
"http://tomcat.apache.org/connectors-doc/reference/apache.html"
might avoid a lot of soul-searching in the future.
Like the phrase :
If you set this parameter to "Off", then Tomcat will not know that the 
browser-Apache connection took place under HTTPS, and will treat it as a 
simple HTTP connection.  See ... for more details.

André



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message