Have a client that is wanting us to implement the following in web.xml:
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
But from what I can tell, that's only available in 7+ and we are running at
6.latest with plans to upgrade.
Found a site that says I can accomplish the same in 6 by setting
useHttpOnly="true" in the context and setting secure="true" in the non-SSL
connector.
I know the former is correct, but the latter seems a stretch. Am I correct in
not trusting that answer?
Jeffrey Janner
Sr. Network Administrator
[email protected]<mailto:[email protected]>
PolyDyne Software Inc.
Main: 512.343.9100
Direct: 512.583.8930
[cid:[email protected]]
Speed, Intelligence & Savings in Sourcing
