tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: SessionID cookie not secure over SSL
Date Tue, 27 Oct 2009 19:42:07 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe,

(Can you fix your emailer to include thread-ids when replying to the
list? Your replies are not properly threaded, here.)

On 10/27/2009 4:12 PM, Joe Wallace wrote:
> I have a filter that calls
> Cookie.getName and 
> Cookie.getSecure
> JSESSIONID returns false even when the connection is always https.
> Tomcat version is 6.0.20.  

If your cookie was created in HTTP mode, then the 'secure' flag will be
set to 'false' on that cookie. Are you sure you are always in HTTP mode?
Please double-check, and remember that /all JSPs will create a session
unless session=false in the @page directive/.

To answer your original question: there is no setting in Tomcat to get
secure=true on your cookies in SSL mode. Tomcat should /always/ use a
secure cookie when the cookie is created in SSL mode.

You may have to re-check your <Connector> attributes for the AJP
connector. Make sure that secure="true" among others.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrnTQ8ACgkQ9CaO5/Lv0PA/GQCgnPYgzFkWNPP0Ol57BxVg4uX5
YQsAnjGCZMrB4svfzI/S/TL9mhNtjfiv
=GZXQ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message