tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joe Wallace" <j...@andar360.com>
Subject RE: SessionID cookie not secure over SSL
Date Tue, 27 Oct 2009 22:31:21 GMT

André Warnier wrote:
>Am I mistaken then to think that since the connection B from IIS to 
>Tomcat is not over HTTPS but over AJP, Tomcat has no idea that HTTPS is 
>being used ?
>Whatever consequences this has in the context (and which are beyond my 
>expertise).

Andre,
I guess that is the question.

The filter I have in Tomcat calls request.isSecure().
This returns true.

(All requests have been using https)

If when tomcat does this.

if(request.isSecure())
  cookie.setSecure(true); 

A call to cookie.getSecure should return true.

But the same filter that returns true for request.isSecure()
calls Cookie.getSecure() and it returns false. 



Joe







-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: Tuesday, October 27, 2009 5:11 PM
To: Tomcat Users List
Subject: Re: SessionID cookie not secure over SSL


Joe Wallace wrote:
> 
> -----Original Message-----
> From: André Warnier [mailto:aw@ice-sa.com]
> Sent: Tuesday, October 27, 2009 4:48 PM
> To: Tomcat Users List
> Subject: Re: SessionID cookie not secure over SSL
> 
> 
>> Joe Wallace wrote:
>>> I am using session cookies to track sessions.  I am used to Jrun where you would
specifically set the cookie to be sent only over SSL or https.  This was not the >default
setting.  I want users to connect to my web site using https then they might click a link
on one of my web pages whose protocal is not secure.  What is the >behavior of the JSESSIONID
cookie in this situation.
>>>
>> Joe,
> 
>> 1) assuming your setup is
> 
>> browsers <--> IIS  <--> Tomcat
>             A         B
> 
>> which portion(s) is(/are) using HTTPS ? A ? B ? both ?
> 
>> 2) "secure" is an attribute of a cookie, written inside of the cookie by 
>> the server creating the cookie in the first place.
>> If set, it has as consequence that a browser will only send it back to 
>> the original server with subsequent requests, if these subsequent 
>> requests happen over a HTTPS connection.
> 
>> In other words, if you set the secure attribute on the JSESSIONID 
>> cookie, because for instance your initial request happens over HTTPS, 
>> then you switch to a non-HTTPS part of the site, the browser is probably 
>> no longer going to send this cookie back to the server.
>> In other words, you will, for practical purposes, "lose your session".
> 
>> Not so, gurus ?
> 
> Portion A is using IIS.  IIS holds the SSL cert.
> I am using AJP 1.3 connector for IIS
> It is defined in the Tomcat Server.xml
> 
> <!-- Define an AJP 1.3 Connector on port xxxx -->
>     <Connector port="8109" protocol="AJP/1.3" redirectPort="443"
> />
> 

>Am I mistaken then to think that since the connection B from IIS to 
>Tomcat is not over HTTPS but over AJP, Tomcat has no idea that HTTPS is 
>being used ?
>Whatever consequences this has in the context (and which are beyond my 
>expertise).






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message