https://bz.apache.org/bugzilla/show_bug.cgi?id=64921
--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> --- Hmm. It's not possible to know whether or not the browser thinks the cookie should be "secure" since the client doesn't send the "secure" flag to the server (it's a one-way flag, from server -> client). Are you able to test a patch (or have you already developed one)? Assuming the only thing missing is: sessionCookie.setSecure(true); then we only have to worry about knowing when to set that flag. Modern systems should probably *always* set that flag, but someone out there surely needs is to NOT set the "secure" flag so we need a way to disable that. Probably via a configuration option "secure" which defaults to "true" but can be set to "false". -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org