> I believe if your session starts through HTTPS, the cookie will be > marked as secure and it won't be sent if the user switches to non-secure > HTTP.
Maybe my question is stupid, but, is it possible to browse a site on HTTP and having just the JSESSIONID cookie sent on HTTPS to prevent session stealing? And if possible i would like to set up it... on apache, mod_jk and tomcat 6. Thank you. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
