André Warnier wrote: >Am I mistaken then to think that since the connection B from IIS to >Tomcat is not over HTTPS but over AJP, Tomcat has no idea that HTTPS is >being used ? >Whatever consequences this has in the context (and which are beyond my >expertise).
Andre, I guess that is the question. The filter I have in Tomcat calls request.isSecure(). This returns true. (All requests have been using https) If when tomcat does this. if(request.isSecure()) cookie.setSecure(true); A call to cookie.getSecure should return true. But the same filter that returns true for request.isSecure() calls Cookie.getSecure() and it returns false. Joe -----Original Message----- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, October 27, 2009 5:11 PM To: Tomcat Users List Subject: Re: SessionID cookie not secure over SSL Joe Wallace wrote: > > -----Original Message----- > From: André Warnier [mailto:a...@ice-sa.com] > Sent: Tuesday, October 27, 2009 4:48 PM > To: Tomcat Users List > Subject: Re: SessionID cookie not secure over SSL > > >> Joe Wallace wrote: >>> I am using session cookies to track sessions. I am used to Jrun where you >>> would specifically set the cookie to be sent only over SSL or https. This >>> was not the >default setting. I want users to connect to my web site using >>> https then they might click a link on one of my web pages whose protocal is >>> not secure. What is the >behavior of the JSESSIONID cookie in this >>> situation. >>> >> Joe, > >> 1) assuming your setup is > >> browsers <--> IIS <--> Tomcat > A B > >> which portion(s) is(/are) using HTTPS ? A ? B ? both ? > >> 2) "secure" is an attribute of a cookie, written inside of the cookie by >> the server creating the cookie in the first place. >> If set, it has as consequence that a browser will only send it back to >> the original server with subsequent requests, if these subsequent >> requests happen over a HTTPS connection. > >> In other words, if you set the secure attribute on the JSESSIONID >> cookie, because for instance your initial request happens over HTTPS, >> then you switch to a non-HTTPS part of the site, the browser is probably >> no longer going to send this cookie back to the server. >> In other words, you will, for practical purposes, "lose your session". > >> Not so, gurus ? > > Portion A is using IIS. IIS holds the SSL cert. > I am using AJP 1.3 connector for IIS > It is defined in the Tomcat Server.xml > > <!-- Define an AJP 1.3 Connector on port xxxx --> > <Connector port="8109" protocol="AJP/1.3" redirectPort="443" > /> > >Am I mistaken then to think that since the connection B from IIS to >Tomcat is not over HTTPS but over AJP, Tomcat has no idea that HTTPS is >being used ? >Whatever consequences this has in the context (and which are beyond my >expertise). --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
