From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Sent: Monday, July 29, 2013 2:29 PM To: 'Tomcat Users List' Subject: secure cookies
Have a client that is wanting us to implement the following in web.xml: <session-config> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> But from what I can tell, that's only available in 7+ and we are running at 6.latest with plans to upgrade. Found a site that says I can accomplish the same in 6 by setting useHttpOnly="true" in the context and setting secure="true" in the non-SSL connector. I know the former is correct, but the latter seems a stretch. Am I correct in not trusting that answer? [Jeff Janner] Forgot to mention that the site is already configured to require SSL for everything.