tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: SessionID cookie not secure over SSL
Date Tue, 27 Oct 2009 20:07:14 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe,

On 10/27/2009 5:00 PM, Joe Wallace wrote:
> I am using session cookies to track sessions.  I am used to Jrun
> where you would specifically set the cookie to be sent only over SSL
> or https.  This was not the default setting.  I want users to connect
> to my web site using https then they might click a link on one of my
> web pages whose protocal is not secure.  What is the behavior of the
> JSESSIONID cookie in this situation.

Tomcat will create its JSESSIONID cookie like this in all cases:

Cookie cookie = new Cookie("JSESSIONID", sessionId);
if(request.isSecure())
  cookie.setSecure(true);

(Note that the code might not look exactly like this, but it behaves in
this way).

So, if your session was created during a non-secure request, you'll get
a non-secure cookie. The solution? Make all your requests HTTPS. If you
have non-secure pages, you'll need to make sure they don't call
request.getSession(true) either explicitly or implicitly (say, by
forgetting to set session="false" for a JSP).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrnUvIACgkQ9CaO5/Lv0PCVjACfdqIQS8CFhelJtjgOWaoHtBhc
6gAAoIrWzROh0PTIOUYe4Aobnm3YWVtp
=mlkD
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message