"Christopher Schultz" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > | > | - the behaviour of browsers versus secure/non-secure cookies is not new, > | and neither is the fact that Tomcat generates a secure JSESSIONID cookie > | when the session starts under HTTPS. So how come this thing was working > | before the Tomcat change of version, but no longer afterward ? > | Or did I miss a post somewhere ? > > It's tough to tell. The OP was using TC 3.2.4 (ancient!) and it might > not have been setting the "secure" flag on that cookie. It's the > cookie's "secure" flag that dictates the security policy, not the use of > HTTPS (or not). You could go back and look at the code for 3.2.4 and see > if the "secure" flag was being set on cookies. >
This is correct. TC 3.2.4 never set the "secure" flag on that cookie, and TC 3.3.2 would only set it if you enabled an option in server.xml. This feature of TC is only on TC 4.0 and higher. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
