From: Jeffrey Janner [mailto:[email protected]]
Sent: Monday, July 29, 2013 2:29 PM
To: 'Tomcat Users List'
Subject: secure cookies
Have a client that is wanting us to implement the following in web.xml:
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
But from what I can tell, that's only available in 7+ and we are running at
6.latest with plans to upgrade.
Found a site that says I can accomplish the same in 6 by setting
useHttpOnly="true" in the context and setting secure="true" in the non-SSL
connector.
I know the former is correct, but the latter seems a stretch. Am I correct in
not trusting that answer?
[Jeff Janner] Forgot to mention that the site is already configured to require
SSL for everything.
