tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: SessionID cookie not secure over SSL
Date Tue, 27 Oct 2009 20:47:38 GMT
Joe Wallace wrote:
> I am using session cookies to track sessions.  I am used to Jrun where you would specifically
set the cookie to be sent only over SSL or https.  This was not the default setting.  I want
users to connect to my web site using https then they might click a link on one of my web
pages whose protocal is not secure.  What is the behavior of the JSESSIONID cookie in this

1) assuming your setup is

browsers <--> IIS  <--> Tomcat
            A         B

which portion(s) is(/are) using HTTPS ? A ? B ? both ?

2) "secure" is an attribute of a cookie, written inside of the cookie by 
the server creating the cookie in the first place.
If set, it has as consequence that a browser will only send it back to 
the original server with subsequent requests, if these subsequent 
requests happen over a HTTPS connection.

In other words, if you set the secure attribute on the JSESSIONID 
cookie, because for instance your initial request happens over HTTPS, 
then you switch to a non-HTTPS part of the site, the browser is probably 
no longer going to send this cookie back to the server.
In other words, you will, for practical purposes, "lose your session".

Not so, gurus ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message