tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: SessionID cookie not secure over SSL
Date Wed, 28 Oct 2009 16:35:06 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe,

On 10/27/2009 5:34 PM, Joe Wallace wrote:
> Hi Chris,
> You wrote:
>> Tomcat will create its JSESSIONID cookie like this in all cases:
> 
>> Cookie cookie = new Cookie("JSESSIONID", sessionId);
>> if(request.isSecure())
>>  cookie.setSecure(true);
> 
> My filter calls HttpServletRequest.isSecure() which returns true
> It then calls Cookie.getSecure() for the JSESSIONID cookie which returns false. 
> 
> I am expecting this to return true since all connections have been over https.
> Or should I be looking elswhere?

If this is what you are observing, then the cookie is being created
during a non-https request. I would recommend clearing the cookie for
your site in your browser, then visiting your site until you see the
cookie appear.

You can use an HttpServletRequestWrapper + a Filter to see where the
session is being created if you'd rather not watch HTTP traffic.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrocrkACgkQ9CaO5/Lv0PCVTACfZRIKYGnQP3Jn8TnXSJ7Ew/gW
f9MAnjeIMMSJhO3et+EXonxuZW7o7/Et
=L5et
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message