tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joe Wallace" <>
Subject RE: SessionID cookie not secure over SSL
Date Tue, 27 Oct 2009 22:01:10 GMT

-----Original Message-----
From: André Warnier []
Sent: Tuesday, October 27, 2009 4:48 PM
To: Tomcat Users List
Subject: Re: SessionID cookie not secure over SSL

>Joe Wallace wrote:
>> I am using session cookies to track sessions.  I am used to Jrun where you would
specifically set the cookie to be sent only over SSL or https.  This was not the >default
setting.  I want users to connect to my web site using https then they might click a link
on one of my web pages whose protocal is not secure.  What is the >behavior of the JSESSIONID
cookie in this situation.

>1) assuming your setup is

>browsers <--> IIS  <--> Tomcat
            A         B

>which portion(s) is(/are) using HTTPS ? A ? B ? both ?

>2) "secure" is an attribute of a cookie, written inside of the cookie by 
>the server creating the cookie in the first place.
>If set, it has as consequence that a browser will only send it back to 
>the original server with subsequent requests, if these subsequent 
>requests happen over a HTTPS connection.

>In other words, if you set the secure attribute on the JSESSIONID 
>cookie, because for instance your initial request happens over HTTPS, 
>then you switch to a non-HTTPS part of the site, the browser is probably 
>no longer going to send this cookie back to the server.
>In other words, you will, for practical purposes, "lose your session".

>Not so, gurus ?

Portion A is using IIS.  IIS holds the SSL cert.
I am using AJP 1.3 connector for IIS
It is defined in the Tomcat Server.xml

<!-- Define an AJP 1.3 Connector on port xxxx -->
    <Connector port="8109" protocol="AJP/1.3" redirectPort="443"


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message