tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joe Wallace" <>
Subject RE: SessionID cookie not secure over SSL
Date Tue, 27 Oct 2009 21:00:47 GMT
I am using session cookies to track sessions.  I am used to Jrun where you would specifically
set the cookie to be sent only over SSL or https.  This was not the default setting.  I want
users to connect to my web site using https then they might click a link on one of my web
pages whose protocal is not secure.  What is the behavior of the JSESSIONID cookie in this


-----Original Message-----
From: Christopher Schultz []
Sent: Tuesday, October 27, 2009 3:42 PM
To: Tomcat Users List
Subject: Re: SessionID cookie not secure over SSL

Hash: SHA1


(Can you fix your emailer to include thread-ids when replying to the
list? Your replies are not properly threaded, here.)

On 10/27/2009 4:12 PM, Joe Wallace wrote:
> I have a filter that calls
> Cookie.getName and 
> Cookie.getSecure
> JSESSIONID returns false even when the connection is always https.
> Tomcat version is 6.0.20.  

If your cookie was created in HTTP mode, then the 'secure' flag will be
set to 'false' on that cookie. Are you sure you are always in HTTP mode?
Please double-check, and remember that /all JSPs will create a session
unless session=false in the @page directive/.

To answer your original question: there is no setting in Tomcat to get
secure=true on your cookies in SSL mode. Tomcat should /always/ use a
secure cookie when the cookie is created in SSL mode.

You may have to re-check your <Connector> attributes for the AJP
connector. Make sure that secure="true" among others.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message