AW: http/https jsessionid - issue with Apache/Tomcat

[Gerald Schöffel]

Sorry, late at night :)

Naturally I wan't to reconfigure Tomcat ... not Apache ...

>Hi !
>
>I have the following problem:
>
>Inside the direct link listener of my login page (scheme https) I validate the 
>user input and create an visit ASO an success.
>
>So a session is created and stored via a cookie on the browser.
>
>When leaving the https scheme, the jsessionid is lost, because the cookie is 
>marked as https-only.
>
>While I understand this behaviour (security reasons) I do not wan't to disable 
>session-cookies in apache. I want to keep the url tidy :)
>
>So is there a way to tell Apache (forwaring to Tomcat via JKMount) to treat 
>https sessionid as 'unsafe' and store them in an http-readable cookie ?
>
>I take care of the sessionid-hijacking for myself - so there is no need for 
>Apache todo so.
>
>Thank you in advance ! 
>
>Gerald
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

http/https jsessionid - issue with Apache/Tomcat

[Gerald Schöffel]

Hi !

I have the following problem:

Inside the direct link listener of my login page (scheme https) I validate the 
user input and create an visit ASO an success.

So a session is created and stored via a cookie on the browser.

When leaving the https scheme, the jsessionid is lost, because the cookie is 
marked as https-only.

While I understand this behaviour (security reasons) I do not wan't to disable 
session-cookies in apache. I want to keep the url tidy :)

So is there a way to tell Apache (forwaring to Tomcat via JKMount) to treat 
https sessionid as 'unsafe' and store them in an http-readable cookie ?

I take care of the sessionid-hijacking for myself - so there is no need for 
Apache todo so.

Thank you in advance ! 

Gerald

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]