you'd be walking in a security hazard, but you could probably set the
cookie to secure even though it is running in http.
in org.apache.catalina.connector.Request.java, the cookie is set,
as you can see, last few lines, that the cookie is only set to secure if
the request is considered secure.
protected void configureSessionCookie(Cookie cookie) {
cookie.setMaxAge(-1);
String contextPath = null;
if (!connector.getEmptySessionPath() && (getContext() != null)) {
contextPath = getContext().getEncodedPath();
}
if ((contextPath != null) && (contextPath.length() > 0)) {
cookie.setPath(contextPath);
} else {
cookie.setPath("/");
}
if (isSecure()) {
cookie.setSecure(true);
}
}
please note, this is the recommended behavior, if you are tampering with
it, then you could have potential problems on your hand.
Filip
Bello Martinez Sergio wrote:
Hi all,
I'm working with the next scenario: I have a web application running
under apache-mod_jk-tomcat. I access this application through https,
but I have an applet into a page, this applet access the server
periodically to get data through http (I can´t use https at this
point, it´s a requirement). When I click a link into the web
application to get another page (using https) I stated that I've lost
the session data, because of applet acceses through http. Do anybody
know a workaround to this problem? Is there any way to keep session
data changing browser-server communications from http to https and
viceversa?
Thanks in advance
Sergio
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
