-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cyrille,
On 6/22/2009 3:50 PM, Cyrille Le Clerc wrote: > My need is the opposite : I want to have request.secure=true but > request.scheme=http. What is the requirement that scheme=http? You can actually use a (non-secure) HTTP connector and still set scheme=https. Do you have some portion of your application that relies on request.getScheme() returning "HTTP"? > However, if request.secure=true, whatever is the value of > request.scheme, Tomcat generates a secure JSESSIONID cookie. My > problem is that most http clients treat secure cookie as "ssl only" > and thus, my JSESSIONID cookie is ignored. If HTTPS is not being used /at all/, then why do you want to claim that it is secure? If you aren't using SSL, then not having SSL cookies shouldn't be a problem, right? > I would prefer to have request.scheme with the value that was used by > the http client in case an application uses the scheme. In that case, "scheme" should be honestly set to the scheme being used by the <Connector>, which ought to be known in advance. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAko/9GUACgkQ9CaO5/Lv0PDStwCePuQdTOl7RYfwzLTeIJSdEKs6 QHIAnis9z83fwNsZma/WsIvXEW8QwCYv =8HH2 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
