tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: SessionID cookie not secure over SSL
Date Tue, 27 Oct 2009 22:01:14 GMT
On 27.10.2009 22:10, André Warnier wrote:
> Joe Wallace wrote:
>> -----Original Message-----
>> From: André Warnier []
>> Sent: Tuesday, October 27, 2009 4:48 PM
>> To: Tomcat Users List
>> Subject: Re: SessionID cookie not secure over SSL
>>> Joe Wallace wrote:
>>>> I am using session cookies to track sessions.  I am used to Jrun
>>>> where you would specifically set the cookie to be sent only over SSL
>>>> or https.  This was not the >default setting.  I want users to
>>>> connect to my web site using https then they might click a link on
>>>> one of my web pages whose protocal is not secure.  What is the
>>>> >behavior of the JSESSIONID cookie in this situation.
>>> Joe,
>>> 1) assuming your setup is
>>> browsers <--> IIS  <--> Tomcat
>>             A         B
>>> which portion(s) is(/are) using HTTPS ? A ? B ? both ?
>>> 2) "secure" is an attribute of a cookie, written inside of the cookie
>>> by the server creating the cookie in the first place.
>>> If set, it has as consequence that a browser will only send it back
>>> to the original server with subsequent requests, if these subsequent
>>> requests happen over a HTTPS connection.
>>> In other words, if you set the secure attribute on the JSESSIONID
>>> cookie, because for instance your initial request happens over HTTPS,
>>> then you switch to a non-HTTPS part of the site, the browser is
>>> probably no longer going to send this cookie back to the server.
>>> In other words, you will, for practical purposes, "lose your session".
>>> Not so, gurus ?
>> Portion A is using IIS.  IIS holds the SSL cert.
>> I am using AJP 1.3 connector for IIS
>> It is defined in the Tomcat Server.xml
>> <!-- Define an AJP 1.3 Connector on port xxxx -->
>>     <Connector port="8109" protocol="AJP/1.3" redirectPort="443"
>> />
> Am I mistaken then to think that since the connection B from IIS to
> Tomcat is not over HTTPS but over AJP, Tomcat has no idea that HTTPS is
> being used ?

It should know that. The AJP13 protocol transports the comunication
situation observed by the web server to Tomcat which then provides it to
the webapp by extracting it from the protocol in the AJP connector.

See also



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message