Why is this the case, and where does one put in an "enhancement request"? I can see the argument for wanting the OPTION of forcing secure connections or losing your session, but to not even have the option of having the session cookie be insecure doesn't make much sense.
I understand the potential for session hijacking, but given what is being secured, that is an acceptable risk, compared to sending passwords in plain text which is not an acceptable risk. Thanks for the answer, anyway (even though it's not what I wanted to hear :) Andrew > > "Andrew Mottaz" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] >> I've run into the problem where a session cookie gets lost when you >> start on http and move to https. The reason seems to be that >> 'secure=true' is set on the session cookie when you start on https, >> preventing the cookie from being passed to the http page. >> >> >> I found the following in the archives: >> >> You can maintain your session going http->https. You can't maintain >> your >> session https->http (unless you previously did a http->https). >> >> >> Is there any way to change the configuration to always use non-secure >> session cookies? > > You can in 3.3.2 (since it is a +0.0.1 release change). In all higher > versions of Tomcat, no. > >> >> If there is not, is there a standard workaround? I hate the hack of >> redirecting to make sure that first access is not secure. > > Start hating ;-). > >> >> Thanks much, >> >> Andrew >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- Andrew Mottaz Site 9 :: Internet Business Solutions 116 W. Illinois, Ste 6E Chicago, Illinois 60610 312.670.8469 www.site9.net --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
