Hi Joan,
"<tracking-mode>cookie</tracking-mode>", from my understanding, uses the
SSL session-ID as the cookie-value in the Tomcat container. This value
will be different from what Apache assigns on the front-end SSL connection
to the browser (as Konstantin pointed out). With tracking-mode COOKIE, I
believe, a JSESSIONID cookie is created and used.
If the "<tracking-mode>cookie</tracking-mode>" setting does the trick, then
a more secure configuration may be:
----a better web.xml:-----
<session-config>
<cookie-config><secure>true</secure></cookie-config>
<tracking-mode>cookie</tracking-mode>
</session-config>
----------------
The above configuration makes sure that a cookie is set only on an HTTPS
connection coming into Tomcat.
And in general, an even better one would be:
---------- web.xml:------
<session-config>
<cookie-config><secure>true</secure></cookie-config>
<cookie-config><httponly>true</http-only></cookie-config>
<tracking-mode>cookie</tracking-mode>
</session-config>
----------------------------------
What the above configuration does is that it prevents any malicious
client-side code from accessing the cookie and thereby misusing it against
your service..
Thanks.
-Shanti
On Fri, Sep 28, 2012 at 11:51 AM, Joan Morales <joan....@gmail.com> wrote:
> I put the
> <tracking-mode>SSL</tracking-mode> because I thought It was necessary to
> handle the SSL on TC, anyways I'll change It to COOKIE and see what happens.
> Another couple of ideas were to use a Valve for SSL on TC or enable the
> mod_header on Apache, but any idea on how this would help?
>
> Thanks,
> Joan
>
>
> --
> Joan Morales
>
> El 28/09/2012, a las 17:35, Shanti Suresh <sha...@umich.edu> escribió:
>
> > Hi Joan,
> >
> > What happens when you change the web.xml settings to:
> >
> > ----------web.xml:----
> > <session-config>
> > <session-timeout>30</session-timeout>
> > <tracking-mode>COOKIE</tracking-mode>
> > </session-config>
> >
> > --------------------------
> >
> > Thanks.
> >
> > -Shanti
> >
> >
> > On Fri, Sep 28, 2012 at 10:58 AM, Konstantin Kolinko <
> knst.koli...@gmail.com
> >> wrote:
> >
> >> 2012/9/28 Martin Gainty <mgai...@hotmail.com>:
> >>>
> >>> that is NOT what the op asked for
> >>>
> >>> if the OP is implementing ssl via her FE Apache then she needs to
> >> implement and config mod-ssl on that FE apache server
> >>>
> >>> You need to Understand what the op environment is before criticising
> the
> >> solution
> >>> Martin
> >>
> >> The OP asked about JSESSIONID cookie (as said in $Subject) and getting
> >> rid of it. It is not about configuring mod_ssl.
> >>
> >>
> >>
> http://en.wikipedia.org/wiki/Posting_style#Choosing_the_proper_posting_style
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
