tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
Date Fri, 13 Jun 2008 17:08:54 GMT

Bill Davidson wrote:
> Rainer Jung wrote:
>> André Warnier wrote:
>>> And, again in other words, if this parameter was set to Off, and 
>>> Tomcat generated a new session and a JSESSIONID session cookie for 
>>> this session, that the cookie would thus not be marked secure ?
>> Didn't try this. What does your tests say?
> Oooh!  I may want to try this.  I may not have needed to change my app 
> at all.
Yep, I thought you might be interested.
But had this come up sooner, it would have deprived us of a lot of 
interesting information.

By the way, the reason why I can't try it right now is that I just don't 
have the application to try it with.  So whatever I mentioned before 
(but which apprently so far seems ok) was purely by attempting to 
understand the documentation. Beware.

And by the way, I do not know who's in charge of that, but should this 
all turn out to be true, I think that a small addendum in the 
"JkExtractSSL" item of the page 
might avoid a lot of soul-searching in the future.
Like the phrase :
If you set this parameter to "Off", then Tomcat will not know that the 
browser-Apache connection took place under HTTPS, and will treat it as a 
simple HTTP connection.  See ... for more details.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message