Have a client that is wanting us to implement the following in web.xml: <session-config> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> But from what I can tell, that's only available in 7+ and we are running at 6.latest with plans to upgrade. Found a site that says I can accomplish the same in 6 by setting useHttpOnly="true" in the context and setting secure="true" in the non-SSL connector. I know the former is correct, but the latter seems a stretch. Am I correct in not trusting that answer?
Jeffrey Janner Sr. Network Administrator jeffrey.jan...@polydyne.com<mailto:first.l...@polydyne.com> PolyDyne Software Inc. Main: 512.343.9100 Direct: 512.583.8930 [cid:image002.png@01CC0FB7.4FF43CE0] Speed, Intelligence & Savings in Sourcing