Re: Secure jsessionid cookie : request.scheme==https versus request.secure == true

Cyrille Le Clerc wrote: Thank you for the clarification Mark. Depending on where the session is created, you might be able to use a filter to wrap your response and modify the secure attribute of any cookies as they are added to the response. I am sorry to bother you but I don't see how I

Re: Secure jsessionid cookie : request.scheme==https versus request.secure == true

Thanks for your reply Mark, I exposed this Valve + RequestFacade subclassing scenario to the other guys on my project and we prefer not to modify Tomcat internals. We are currently hesitating between introducing a ServletFilter and subclassing

Re: Secure jsessionid cookie : request.scheme==https versus request.secure == true

Hello, My usecase may have not been clear enough : The internal over http connector : secure = true, scheme = http doesn't behave has I would like for stateful requests because Tomcat generates a secure JSESSIONID cookie even if the configured scheme is http rather than https. Due to this

Re: Secure jsessionid cookie : request.scheme==https versus request.secure == true

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cyrille, On 6/21/2009 6:52 AM, Cyrille Le Clerc wrote: I am interested in using the secure attribute of Tomcat connectors for non https/ssl requests. However, the ssl only JSESSIONID cookie mechanism currently relies on request.secure == true

Re: Secure jsessionid cookie : request.scheme==https versus request.secure == true

Thanks for your response Christopher, Could we imagine an evolution of Tomcat to generate secure session cookies if request.scheme == https rather than on request.secure == true ? I would be very pleased to propose a patch. Do you have a reason to set request.secure=false while

Re: Secure jsessionid cookie : request.scheme==https versus request.secure == true

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cyrille, On 6/22/2009 3:50 PM, Cyrille Le Clerc wrote: My need is the opposite : I want to have request.secure=true but request.scheme=http. What is the requirement that scheme=http? You can actually use a (non-secure) HTTP connector and still set

Re: Secure jsessionid cookie : request.scheme==https versus request.secure == true

Thanks very much for the time you spend on my problem Christopher. I use two connectors : one with secure=true and scheme=http ; another with secured=true, scheme=https. What is the requirement that scheme=http? You can actually use a (non-secure) HTTP connector and still set scheme=https. Do

Re: Secure jsessionid cookie : request.scheme==https versus request.secure == true

Cyrille Le Clerc wrote: Thanks very much for the time you spend on my problem Christopher. I use two connectors : one with secure=true and scheme=http ; another with secured=true, scheme=https. What is the requirement that scheme=http? You can actually use a (non-secure) HTTP connector

Re: Secure jsessionid cookie : request.scheme==https versus request.secure == true

Thank you for the clarification Mark. Depending on where the session is created, you might be able to use a filter to wrap your response and modify the secure attribute of any cookies as they are added to the response. I am sorry to bother you but I don't see how I could wrap the class

Secure jsessionid cookie : request.scheme==https versus request.secure == true

Hello, I am interested in using the secure attribute of Tomcat connectors for non https/ssl requests. However, the ssl only JSESSIONID cookie mechanism currently relies on request.secure == true rather than on request.scheme == https (1). A confusion on secure vs. https seems to come from