Hi Tomcat Users, We are using Tomcat 6.0.37 version. I have few questions regarding JSESSIONIDSSO cookie generated by tomcat. As you know, in general each cookie needs to set "httpOnly" and "Secure" flags. I understand both JSESSIONID and JSESSIONIDSSO cookies are maintained by Tomcat for session management. The problem is sometimes "JSESSIONIDSSO" cookie is not set to "Secure" and "HttpOnly" flags. For example from the following two responses one time JSESSIONIDSSO is set and other one not. I would like to know in some scenarios whether this is expected. Your input is much appreciated. I could not find any documentation related to this in tomcat.apache.org web site. Please help me.
In different application, I could not find this cookie at all which is using Tomcat 7.x. Is there any fixes between Tomcat 6.0.37 and Tomcat 7.x related to JSESSIONIDSSO. Is there any behavior change? HTTP/1.1 200 OK Pragma: No-cache Cache-Control: no-store Expires: Wed, 31 Dec 1969 23:59:59 GMT Set-Cookie: JSESSIONID=E6AA4F8CD91D557123B23F1FBCDAC137; Path=/admin; Secure; HttpOnly Set-Cookie: JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Path=/; Secure; HttpOnly Content-Type: text/html;charset=utf-8 Date: Tue, 17 Jun 2014 16:18:27 GMT Server: XYZ Content-Length: 71916 HTTP/1.1 302 Found Set-Cookie: JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Expires=Thu, 01-Jan-1970 00:00:10 GMT Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 UTC Set-Cookie: JSESSIONID=235F4293591E5C72859317ED3294C5A5; Path=/admin; Secure; HttpOnly Location: https://X.Y.A.B/admin/login.jsp Content-Length: 0 Date: Tue, 17 Jun 2014 16:21:17 GMT Server: XYZ Thanks Radhakrishna
