* Yann Rouillard: > Yes it could be seen that way, as we discussed with Emmanuel during the > Paris BSP today, but in fact it's even better, I checked and there is no > problem with Tomcat as the Secure flag as it already automatically set > with the default configuration: > > - if Tomcat is accessed through the HTTPS connector, all cookies are > secure thanks to the connector Secure option which is set by default, > - if Tomcat is accessed through the AJP13 connector, Apache (or other > webserver) transfers through the AJP protocol the information wether the > connexion was through SSL or not, Tomcat uses it to set the Secure flag > accordingly.
Can you check that it's possible to force the secure flag with an HTTP connector? Some load-balancer-based setups need this (although direct HTTP connections from a browser will not work, obviously). __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
