I don't know how to do it within Tapestry, but generally you can use a filter to make sure that jsessionid is never set as a secure cookie. I dug up some old code that does that, I think it works:
public class TomcatUnifiedSessionFilter implements Filter { public void destroy() { // nothing to do here } public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException { /* * Tomcat tracks the session using the JSESSIONID. When the session is * created as a consequence of a request of a secure page, however, the * "secure" attribute of the cookie is set to true. That prevents the * session to be consecutively tracked on non-secure pages. We would * like a unified approach, though. */ final HttpServletRequest httpRequest = (HttpServletRequest) request; final HttpServletResponse httpResponse = (HttpServletResponse) response; // TODO: some more explanation final HttpSession session = httpRequest.getSession(false); if (session != null) { final Cookie sessionCookie = new Cookie("JSESSIONID", session.getId()); sessionCookie.setMaxAge(-1); sessionCookie.setSecure(false); sessionCookie.setPath(httpRequest.getContextPath()); httpResponse.addCookie(sessionCookie); } chain.doFilter(request, response); } public void init(final FilterConfig config) throws ServletException { // nothing to do here } On Wed, Dec 17, 2008 at 8:51 PM, Keith Bottner <kbott...@gmail.com> wrote: > Martijn, > > I get the rationale which is why I have other cookies that are marked as > secure; however, the JSESSIONID cookie has a special use by the JSP server > and is used for associating a user with a session so it should always be > passed unsecured just to keep the user associated with the proper clustered > server and with the proper backend mapping. The more secure cookies can be > used for other uses. > > Keith > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org