On Tue, Jul 30, 2013 at 6:51 AM, Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Jeffrey, > > On 7/29/13 4:09 PM, Jeffrey Janner wrote: > > Thanks for the verification, Mark. I was under the impression > > you'd only want to [set secure="true"] if you were already > > front-ending the site with something that was doing the SSL for you > > (e.g. httpd or a proxy), and the server spoke HTTP between each > > other. > > We use secure="true" for loopback-only connectors to avoid the > overhead of SSL when we know the requests are going to come from > localhost (we have Apache Cocoon running in a separate JVM > calling-back to our main webapp for some XML). So there are some > non-fronting use cases, too. > > (Note that mod_jk already sets the "secure" flag with each request if > the original request to httpd came over HTTPS.) > > > Our app accepts an initial request to the login page on HTTP, but > > should be automatically routed to the HTTPS connector due to > > <transport-guarantee> before the page is actually sent back. Then > > we actually invalidate the session and create a new on successful > > login, and that session/cookie is used for the rest of the user's > > time on the site. So all I really need to do to implement at 6.x is > > the context change. > > Tomcat changes the session id (without actually destroying the > session) after authentication, so if you are using Tomcat's > authentication, then there is no need for the invalidation you > describe above. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.14 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJR9xURAAoJEBzwKT+lPKRYVdIQAIrWoSOO3bSCTb0Ot6B7r9xy > mGGlc3AwAImitS/FvWB2Rjx60doth8MqTD8A31abK+Ec9Gd1cbsWqTgea3VddYO7 > HYJfFrC4Nn7hcnsBXKkCjfJ/fnDzcodQrfg1aw/fbQpxVFzuEFI0JkIHdT1XE196 > zz6yy/hIo0X32HMRVK4rQYVdxDtDbgMyWbHB62PilxiLXvSzX3X2BN5F6qECy3+N > BsVKeuG5SYITOySQ5lfCxSY47e9tzjmYcvfoEh+PqZoLl28SjRuv8j8zUqLVUBzf > n+w3GFK7qdEt7QJdOA2uMmNS8NV5B18NjckVI5xyKtHmGrLlLBSSSVNHaQbZbYK/ > KzpBDdCv77UMS+RMgl7v1SfoNhRjiE+TYaDevwKrKs59+vXiv7TxyTcSuwDyB9zh > zx9vxK/OGA667FesOUkTC4NFewl/5HWpulJvhhs2jj61E54EqzemQO789mZykhyZ > COujCJXYqcpvas4gp+UGviacrjFTbQ7DWi0dzGhTzrlexLyK/5TjMsurUaK/lBYv > GsDXxkQVGGZoP0ZKfoi+bYJKFTb3nUqHEGc17BXjlFT+nSB0Otb5QbpumtBpoOmQ > dyltiro4acsP5fxSpJnHYXVr7i+UQg+c+RiHeJRPFKBLWKcwLYf/Dcu1AD9Crfw0 > eCjLf9tOerjoA+PeKGFr > =ZKug > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Hi Christopher, When you say after successful authentication tomcat re-creates a new session, what do you mean by that? Can you explain it in bit more details? -- BR, Prafull