tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: SessionID cookie not secure over SSL
Date Wed, 28 Oct 2009 16:39:34 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe,

On 10/28/2009 11:55 AM, Joe Wallace wrote:
> From Firefox Live HTTP Headers
> 
> Set-Cookie: JSESSIONID=B4F06784FE4EAA0A7C9830BBF86D85B4; Path=/inetwork; Secure
> Location: https://216.94.100.154/inetwork/Start.jsp
> 
> Hmmmm.  That looks like it is secure

Yup.

> My filter is getting this.
> 
>  Cookie0 name= JSESSIONID
>  Cookie0 value= B4F06784FE4EAA0A7C9830BBF86D85B4
>  Cookie0 isSecure = false

Aah, I see the problem: the cookie /is/ secure, but the browser doesn't
provide the "secure" flag when making a request, so the server has no
idea whether the cookie is in secure mode or not.

Rest assured that the browser will only send this cookie when using HTTPS.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkroc8YACgkQ9CaO5/Lv0PBDwwCff52b5PurVJoC36Tikz+0THoa
y/sAmQHuRxFS3CWFPTFiNxjwYrejYq0E
=UOKF
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message