tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: SessionID cookie not secure over SSL
Date Wed, 28 Oct 2009 14:45:06 GMT
Pid wrote:
> On 27/10/2009 22:31, Joe Wallace wrote:
>> André Warnier wrote:
>>> Am I mistaken then to think that since the connection B from IIS to
>>> Tomcat is not over HTTPS but over AJP, Tomcat has no idea that HTTPS is
>>> being used ?
>>> Whatever consequences this has in the context (and which are beyond my
>>> expertise).
>> Andre,
>> I guess that is the question.
>> The filter I have in Tomcat calls request.isSecure().
>> This returns true.
>> (All requests have been using https)
> What steps are you taking to ensure this is the case?
> How are you enforcing HTTPS, are you using a 
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>?
> Under the general category of asking the obvious, can you clear all 
> existing cookies and then use Firebug/LiveHTTPHeaders in Firefox (or the 
> browser of your choice) to see exactly when the first Set-Cookie header 
> occurs?
And just as a reminder, and because the OP keeps quoting my hypothesis 
above : apparently I was mistaken, and Rainer Jung (mod_jk 
developer/maintainer) explained why, a couple of posts ago.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message