-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bill,
Bill Davidson wrote: | Rainer Jung wrote: |> André Warnier wrote: |>> And, again in other words, if this parameter was set to Off, and |>> Tomcat generated a new session and a JSESSIONID session cookie for |>> this session, that the cookie would thus not be marked secure ? |> |> Didn't try this. What does your tests say? | | Oooh! I may want to try this. I may not have needed to change my app | at all. Just remember that any <transport-guarantee> that requires SSL will break if you do this. | Interesting. I'm wondering if my old Apache 1.3.34+ssl & Tomcat 3.2.4 | combination involved any knowledge by Tomcat of Apache doing SSL? I'm sure it did. I think the difference, as Bill Barker (IIRC) pointed out, is that TC 4.0 and later now actually set the "secure" flag on Cookie objects while earlier versions did not. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEUEARECAAYFAkhSpe0ACgkQ9CaO5/Lv0PDargCXU2TvcCzod3EFnPmzI8oMJ00m oQCeOoRWS9HHF2vS8BIi4VN0DRoZ3oc= =4mhQ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]