tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: SessionID cookie not secure over SSL
Date Wed, 28 Oct 2009 16:58:20 GMT
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Joe,
> 
> On 10/28/2009 11:55 AM, Joe Wallace wrote:
>> From Firefox Live HTTP Headers
>>
>> Set-Cookie: JSESSIONID=B4F06784FE4EAA0A7C9830BBF86D85B4; Path=/inetwork; Secure
>> Location: https://216.94.100.154/inetwork/Start.jsp
>>
>> Hmmmm.  That looks like it is secure
> 
> Yup.
> 
>> My filter is getting this.
>>
>>  Cookie0 name= JSESSIONID
>>  Cookie0 value= B4F06784FE4EAA0A7C9830BBF86D85B4
>>  Cookie0 isSecure = false
> 
> Aah, I see the problem: the cookie /is/ secure, but the browser doesn't
> provide the "secure" flag when making a request, so the server has no
> idea whether the cookie is in secure mode or not.
> 
> Rest assured that the browser will only send this cookie when using HTTPS.
> 
And when your browser makes the request, using LiveHTTPHeaders or 
HttpFox, you should be able to see if that's the case, in the Cookie: 
headers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message