Thanks much for the tip -- I have to disagree about this not being a necessary change. There are plenty of apps where people browse without a secure connection, but have to log in to perform some functions. Users like to bookmark pages -- why should I force them to bookmark only non-secure pages? Giving a developer control over how session cookies function is better than forcing a hack where you have to always redirect to a non-secure page to establish the session. If you are writing an application where the session data is so sensitive that you have to protect against session hijacking, you should know about the difference between secure and non-secure cookies. I've got no problem if the default behavior uses secure cookies when ever possible, but change the "Session uses cookie" parameter to have a flag that allows session cookies to always be non-secure.
http://nagoya.apache.org/bugzilla. However, there aren't very many developers who like the idea of allowing you to hang yourself :).
Just my two-cent rant :)
Andrew
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
