Dave, >Perhaps there is something in the configuration of your server (server.xml), >or its default webapp settings (conf/web.xml), or the configuration of your >webapp (WEB-INF/web.xml) that is causing the session cookie to be set as a >secure cookie.
There is one thing that differs between the TC and IIS-headers I supplied: TC does Connection: Close while IIS does Connection: Keep-Alive. This could very well be the reason why ";Secure" is added (which *may* be the culprit although IE 5/Mac ought to be capable of handling this) as a closed-down connection loses its security context which requires this explicit marking of the cookies' secure origin. I guess... >If you're only responding to HTTPS, then you probably don't need to set the >Secure flag on the cookie anyway. I would bet that if you can find a way to >get tomcat not to set that flag, your problem may go away. I have not found anything in this area that can be configured. A google search revealed that TC requires HTTP 1.1 to support Keep-Alive but when I do "Netstat" using NN 6.2 and IE 5 on W2K, I see no sign of any keep-alives, just huge amounts of dead or dying TCP connections! Anders -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>