On 3/5/2014 12:52 PM, Konstantin Kolinko wrote:
>Session cookie is HttpOnly in Tomcat 7.
>
>If you missed that in migration guide, it is here:
>http://tomcat.apache.org/migration-7.html#Session_cookie_configuration
I added this to some code that is executed by most requests that we use to
track operator activity:
Cookie[] cookies = request.getCookies();
if ( cookies != null ){
for ( Cookie cookie : cookies ){
operLog.append("\n").append(cookie.getName())
.append("=").append(cookie.getValue())
.append(",
secure=").append(cookie.getSecure())
.append(",
httpOnly=").append(cookie.isHttpOnly());
}
}
m_log.fatal(operLog.toString());
This is what that prints out in the log every time:
JSESSIONID=<a big hex number>, secure=false, httpOnly=false
So no, I don't think that's it. We're set to send on any protocol.
Moreover, shouldn't the applet be sending httpOnly cookies even
if they are not visible to Javascript?
1. Why would it act differently with the load balancer than with a
direct connection?
2. Why would it have continued to fail over the load balancer after
we reverted to Tomcat 6?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
