tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian McBride <>
Subject Re: HtttServletRequest.getSession()
Date Thu, 16 Sep 2010 12:49:37 GMT
  On 14/09/2010 23:17, André Warnier wrote:

> Personal interpretation : if the browser receives a cookie marked 
> "secure", it should only send it back with requests happening over an 
> HTTPS connection.
> (No matter if it was received over HTTP or HTTPS).
I'm using httpunit for testing.  I observe it receiving a new JSESSIONID 
cookie over SSL and immediately sending it back over on open connection.

The text you quote is from RFC 2965.  My inexpert reading is that it 
specifies the behaviour for Set-Cookie2 headers.    It includes:

Older user agents that do not understand this specification, but that do 
understand Netscape's original specification, will not recognize the 
Set-Cookie2 response header and will receive and send cookies according 
to the older specification.

RFC 2965 does not say that it overrides the older RFC 2109.  My 
interpretation is that a user agent can follow RFC 2109 for Set-Cookie 
headers, and possibly should.  My Tomcat is sending Set-Cookie headers, 
not Set-Cookie2 headers.

The text in RFC 2109 for the secure attibute is different to that in RFC 


       Optional.  The Secure attribute (with no value) directs the user
       agent to use only (unspecified) secure means to contact the origin
       server whenever it sends back this cookie.

       The user agent (possibly under the user's control) may determine
       what level of security it considers appropriate for "secure"
       cookies.  The Secure attribute should be considered security
       advice from the server to the user agent, indicating that it is in
       the session's interest to protect the cookie contents.

Note that the text about not sending a cookie received over a channel
back over a less secure one is omitted.

So I guess, strictly speaking, no user agent sending secure cookies
  over an insecure channel is actually in violation of the RFC :(

Is there a way to persuade Tomcat to use Set-Cookie2 headers?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message