On 3/5/2014 12:52 PM, Konstantin Kolinko wrote: >Session cookie is HttpOnly in Tomcat 7. > >If you missed that in migration guide, it is here: >http://tomcat.apache.org/migration-7.html#Session_cookie_configuration
I added this to some code that is executed by most requests that we use to track operator activity: Cookie[] cookies = request.getCookies(); if ( cookies != null ){ for ( Cookie cookie : cookies ){ operLog.append("\n").append(cookie.getName()) .append("=").append(cookie.getValue()) .append(", secure=").append(cookie.getSecure()) .append(", httpOnly=").append(cookie.isHttpOnly()); } } m_log.fatal(operLog.toString()); This is what that prints out in the log every time: JSESSIONID=<a big hex number>, secure=false, httpOnly=false So no, I don't think that's it. We're set to send on any protocol. Moreover, shouldn't the applet be sending httpOnly cookies even if they are not visible to Javascript? 1. Why would it act differently with the load balancer than with a direct connection? 2. Why would it have continued to fail over the load balancer after we reverted to Tomcat 6? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org