tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joe Wallace" <>
Subject RE: SessionID cookie not secure over SSL
Date Tue, 27 Oct 2009 21:34:13 GMT
Hi Chris,
You wrote:
>Tomcat will create its JSESSIONID cookie like this in all cases:

>Cookie cookie = new Cookie("JSESSIONID", sessionId);
>  cookie.setSecure(true);

My filter calls HttpServletRequest.isSecure() which returns true
It then calls Cookie.getSecure() for the JSESSIONID cookie which returns false. 

I am expecting this to return true since all connections have been over https.
Or should I be looking elswhere?



-----Original Message-----
From: Christopher Schultz []
Sent: Tuesday, October 27, 2009 4:07 PM
To: Tomcat Users List
Subject: Re: SessionID cookie not secure over SSL

Hash: SHA1


On 10/27/2009 5:00 PM, Joe Wallace wrote:
> I am using session cookies to track sessions.  I am used to Jrun
> where you would specifically set the cookie to be sent only over SSL
> or https.  This was not the default setting.  I want users to connect
> to my web site using https then they might click a link on one of my
> web pages whose protocal is not secure.  What is the behavior of the
> JSESSIONID cookie in this situation.

Tomcat will create its JSESSIONID cookie like this in all cases:

Cookie cookie = new Cookie("JSESSIONID", sessionId);

(Note that the code might not look exactly like this, but it behaves in
this way).

So, if your session was created during a non-secure request, you'll get
a non-secure cookie. The solution? Make all your requests HTTPS. If you
have non-secure pages, you'll need to make sure they don't call
request.getSession(true) either explicitly or implicitly (say, by
forgetting to set session="false" for a JSP).

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message