Thanks Olaf.. There's one piece of information that looks suspicious to me: HTTPS from AWS to Tomcat, port 8080. While it's possible that you're doing this, 8080 is typically used to handle http requests, while 8443 would be a default choice in the 8000+ range of ports for handling https. Please confirm or deny that you have reconfigured a secure connector to listen to port 8080, otherwise it's not clear that you're indeed configuring the communication from AWS to Tomcat as an encrypted one.
User-https request ---> AWS-ELB-443 & here we have applied the SSL &443 redirect to 8080 of tomcat(non SSL) To preempt the next mail and give more information upfront: If you indeed have tomcat listen on 8080 for http, it won't have a clue that this connection is secure, because it doesn't know anything about the original connection. You can fake the knowledge about the connection to be secure with the connector attribute secure="true", but you'll have to make sure that nobody can reach your tomcat through any other way than through your load balancer when you do. Another option is to use AJP for the communication between AWS and Tomcat (I don't know if this is supported on the AWS-ELB side). While this protocol is unencrypted, it does forward the http/https information from the original connection I have tried this way (secure="true") also, but application is working fine but we are unable to login the application & getting the oops session expired error message, so I have reverted this parameter. Regards, Naga Ramesh R 1974 -----Original Message----- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: Thursday, November 30, 2017 1:33 PM To: users@tomcat.apache.org Subject: Re: getting some cookie & security related issues. On 30.11.2017 08:52, Naga Ramesh wrote: > User --------> AWS --------> Tomcat > (HTTPS) (HTTPS) > > User-HTTPS request----> AWS-ELB(https-443) re-direct to tomcat > connector > port-8080 > > What is the (expected) path when the user makes an HTTPS request? Is it: > > User --------> AWS --------> Tomcat > (HTTPS) (HTTPS) There's one piece of information that looks suspicious to me: HTTPS from AWS to Tomcat, port 8080. While it's possible that you're doing this, 8080 is typically used to handle http requests, while 8443 would be a default choice in the 8000+ range of ports for handling https. Please confirm or deny that you have reconfigured a secure connector to listen to port 8080, otherwise it's not clear that you're indeed configuring the communication from AWS to Tomcat as an encrypted one. To preempt the next mail and give more information upfront: If you indeed have tomcat listen on 8080 for http, it won't have a clue that this connection is secure, because it doesn't know anything about the original connection. You can fake the knowledge about the connection to be secure with the connector attribute secure="true", but you'll have to make sure that nobody can reach your tomcat through any other way than through your load balancer when you do. Another option is to use AJP for the communication between AWS and Tomcat (I don't know if this is supported on the AWS-ELB side). While this protocol is unencrypted, it does forward the http/https information from the original connection User->AWS Please clarify your situation. Thanks, Olaf --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org