tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Davidson <bill...@gmail.com>
Subject Re: Tomcat 6 vs. Tomcat 7 vs Cisco Load Balancer vs Java Applet
Date Wed, 05 Mar 2014 22:11:31 GMT
On 3/5/2014 12:52 PM, Konstantin Kolinko wrote:
 >Session cookie is HttpOnly in Tomcat 7.
 >
 >If you missed that in migration guide, it is here:
 >http://tomcat.apache.org/migration-7.html#Session_cookie_configuration

I added this to some code that is executed by most requests that we use to
track operator activity:

                     Cookie[] cookies = request.getCookies();
                     if ( cookies != null ){
                         for ( Cookie cookie : cookies ){
operLog.append("\n").append(cookie.getName())
.append("=").append(cookie.getValue())
                                          .append(", secure=").append(cookie.getSecure())
                                        .append(", httpOnly=").append(cookie.isHttpOnly());
                         }
                     }
                     m_log.fatal(operLog.toString());

This is what that prints out in the log every time:

JSESSIONID=<a big hex number>, secure=false, httpOnly=false

So no, I don't think that's it.  We're set to send on any protocol.
Moreover, shouldn't the applet be sending httpOnly cookies even
if they are not visible to Javascript?

1. Why would it act differently with the load balancer than with a
direct connection?

2. Why would it have continued to fail over the load balancer after
we reverted to Tomcat 6?





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message