-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jeffrey,
On 7/29/13 4:09 PM, Jeffrey Janner wrote: > Thanks for the verification, Mark. I was under the impression > you'd only want to [set secure="true"] if you were already > front-ending the site with something that was doing the SSL for you > (e.g. httpd or a proxy), and the server spoke HTTP between each > other. We use secure="true" for loopback-only connectors to avoid the overhead of SSL when we know the requests are going to come from localhost (we have Apache Cocoon running in a separate JVM calling-back to our main webapp for some XML). So there are some non-fronting use cases, too. (Note that mod_jk already sets the "secure" flag with each request if the original request to httpd came over HTTPS.) > Our app accepts an initial request to the login page on HTTP, but > should be automatically routed to the HTTPS connector due to > <transport-guarantee> before the page is actually sent back. Then > we actually invalidate the session and create a new on successful > login, and that session/cookie is used for the rest of the user's > time on the site. So all I really need to do to implement at 6.x is > the context change. Tomcat changes the session id (without actually destroying the session) after authentication, so if you are using Tomcat's authentication, then there is no need for the invalidation you describe above. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR9xURAAoJEBzwKT+lPKRYVdIQAIrWoSOO3bSCTb0Ot6B7r9xy mGGlc3AwAImitS/FvWB2Rjx60doth8MqTD8A31abK+Ec9Gd1cbsWqTgea3VddYO7 HYJfFrC4Nn7hcnsBXKkCjfJ/fnDzcodQrfg1aw/fbQpxVFzuEFI0JkIHdT1XE196 zz6yy/hIo0X32HMRVK4rQYVdxDtDbgMyWbHB62PilxiLXvSzX3X2BN5F6qECy3+N BsVKeuG5SYITOySQ5lfCxSY47e9tzjmYcvfoEh+PqZoLl28SjRuv8j8zUqLVUBzf n+w3GFK7qdEt7QJdOA2uMmNS8NV5B18NjckVI5xyKtHmGrLlLBSSSVNHaQbZbYK/ KzpBDdCv77UMS+RMgl7v1SfoNhRjiE+TYaDevwKrKs59+vXiv7TxyTcSuwDyB9zh zx9vxK/OGA667FesOUkTC4NFewl/5HWpulJvhhs2jj61E54EqzemQO789mZykhyZ COujCJXYqcpvas4gp+UGviacrjFTbQ7DWi0dzGhTzrlexLyK/5TjMsurUaK/lBYv GsDXxkQVGGZoP0ZKfoi+bYJKFTb3nUqHEGc17BXjlFT+nSB0Otb5QbpumtBpoOmQ dyltiro4acsP5fxSpJnHYXVr7i+UQg+c+RiHeJRPFKBLWKcwLYf/Dcu1AD9Crfw0 eCjLf9tOerjoA+PeKGFr =ZKug -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
