Bill Davidson wrote:
Rainer Jung wrote:
André Warnier wrote:
And, again in other words, if this parameter was set to Off, and
Tomcat generated a new session and a JSESSIONID session cookie for
this session, that the cookie would thus not be marked secure ?
Didn't try this. What does your tests say?
Oooh! I may want to try this. I may not have needed to change my app
at all.
Yep, I thought you might be interested.
But had this come up sooner, it would have deprived us of a lot of
interesting information.
By the way, the reason why I can't try it right now is that I just don't
have the application to try it with. So whatever I mentioned before
(but which apprently so far seems ok) was purely by attempting to
understand the documentation. Beware.
And by the way, I do not know who's in charge of that, but should this
all turn out to be true, I think that a small addendum in the
"JkExtractSSL" item of the page
"http://tomcat.apache.org/connectors-doc/reference/apache.html";
might avoid a lot of soul-searching in the future.
Like the phrase :
If you set this parameter to "Off", then Tomcat will not know that the
browser-Apache connection took place under HTTPS, and will treat it as a
simple HTTP connection. See ... for more details.
André
---------------------------------------------------------------------
To start a new topic, e-mail: [email protected]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
