-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Guojun,
On 5/8/2009 5:27 PM, Guojun Zhu wrote: > What do you mean "You want to ensure a session is created in > non-secure more BEFORE the user submits their credentials."? Session id cookies are created by Tomcat in either "secure" mode (when the session is created during a HTTPS request) or non-secure mode (when the session is created during a HTTP request). If you get a "secure" cookie, the browser will no longer send it to the server when you go back to HTTP mode. So, you have to make sure you get a non-secure cookie. Your options are (as previously stated) 1. Modify the cookie to make sure it's not set to secure=true or 2. Modify your web application to ensure the session id cookie is created in non-secure mode. This may require you to expire a session id cookie that is already in secure mode, redirect to a non-secure page that creates a new (non-secure) session cookie, and then redirects to your login page so you can be authenticated in a secure environment (but still with a non-secure session id cookie). > I am sorry, but I am not sure that I understand what you mean. All > your solutions is to modify the login.jsp. But we have already reach > there by http unsecurely whenever I try to access any restricted > pages. Showing a non-secure login page isn't a problem, is it? You just need to make sure that the login form's action is HTTPS and you will get a secure login. > Furthermore, in your solution, what cookie should I get? Is there any > special one? You will always get a cookie with the name JSESSIONID created by Tomcat. This is the cookie you need to make sure is /not/ in secure mode. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoISRgACgkQ9CaO5/Lv0PAmIACgmgOzZlbJ0ey62HBTW7WRIKV4 MtkAnil4A/2Ra8KEMh/7D3Jy+/ETl1Xe =4RUF -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org