"Andrew Mottaz" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Why is this the case, and where does one put in an "enhancement request"? I > can see the argument for wanting the OPTION of forcing secure connections or > losing your session, but to not even have the option of having the session > cookie be insecure doesn't make much sense.
http://nagoya.apache.org/bugzilla. However, there aren't very many developers who like the idea of allowing you to hang yourself :). > > I understand the potential for session hijacking, but given what is being > secured, that is an acceptable risk, compared to sending passwords in plain > text which is not an acceptable risk. > > Thanks for the answer, anyway (even though it's not what I wanted to hear :) > > Andrew > > > > > > > "Andrew Mottaz" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > >> I've run into the problem where a session cookie gets lost when you > >> start on http and move to https. The reason seems to be that > >> 'secure=true' is set on the session cookie when you start on https, > >> preventing the cookie from being passed to the http page. > >> > >> > >> I found the following in the archives: > >> > >> You can maintain your session going http->https. You can't maintain > >> your > >> session https->http (unless you previously did a http->https). > >> > >> > >> Is there any way to change the configuration to always use non-secure > >> session cookies? > > > > You can in 3.3.2 (since it is a +0.0.1 release change). In all higher > > versions of Tomcat, no. > > > >> > >> If there is not, is there a standard workaround? I hate the hack of > >> redirecting to make sure that first access is not secure. > > > > Start hating ;-). > > > >> > >> Thanks much, > >> > >> Andrew > >> > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > -- > Andrew Mottaz > Site 9 :: Internet Business Solutions > 116 W. Illinois, Ste 6E > Chicago, Illinois 60610 > 312.670.8469 > www.site9.net --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
