tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Moving from a very old Tomcat to a new Tomcat.
Date Thu, 12 Jun 2008 01:32:39 GMT

"Christopher Schultz" <> wrote in message
> Hash: SHA1
> |
> | - the behaviour of browsers versus secure/non-secure cookies is not new,
> | and neither is the fact that Tomcat generates a secure JSESSIONID cookie
> | when the session starts under HTTPS.  So how come this thing was working
> | before the Tomcat change of version, but no longer afterward ?
> | Or did I miss a post somewhere ?
> It's tough to tell. The OP was using TC 3.2.4 (ancient!) and it might
> not have been setting the "secure" flag on that cookie. It's the
> cookie's "secure" flag that dictates the security policy, not the use of
> HTTPS (or not). You could go back and look at the code for 3.2.4 and see
> if the "secure" flag was being set on cookies.

This is correct. TC 3.2.4 never set the "secure" flag on that cookie, and TC 
3.3.2 would only set it if you enabled an option in server.xml.  This 
feature of TC is only on TC 4.0 and higher.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message