Cyrille Le Clerc wrote:
Thank you for the clarification Mark.
Depending on where the session is created, you might be able to use a
filter to wrap your response and modify the secure attribute of any
cookies as they are added to the response.
I am sorry to bother you but I don't see how I
Thanks for your reply Mark,
I exposed this Valve + RequestFacade subclassing scenario to the other
guys on my project and we prefer not to modify Tomcat internals. We are
currently hesitating between introducing a ServletFilter and subclassing
Hello,
My usecase may have not been clear enough :
The internal over http connector : secure = true, scheme = http
doesn't behave has I would like for stateful requests because Tomcat
generates a secure JSESSIONID cookie even if the configured scheme is
http rather than https.
Due to this
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cyrille,
On 6/21/2009 6:52 AM, Cyrille Le Clerc wrote:
I am interested in using the secure attribute of Tomcat
connectors for non https/ssl requests. However, the ssl only
JSESSIONID cookie mechanism currently relies on request.secure ==
true
Thanks for your response Christopher,
Could we imagine an evolution of Tomcat to generate secure session
cookies if request.scheme == https rather than on request.secure ==
true ? I would be very pleased to propose a patch.
Do you have a reason to set request.secure=false while
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cyrille,
On 6/22/2009 3:50 PM, Cyrille Le Clerc wrote:
My need is the opposite : I want to have request.secure=true but
request.scheme=http.
What is the requirement that scheme=http? You can actually use a
(non-secure) HTTP connector and still set
Thanks very much for the time you spend on my problem Christopher.
I use two connectors : one with secure=true and scheme=http ; another
with secured=true, scheme=https.
What is the requirement that scheme=http? You can actually use a
(non-secure) HTTP connector and still set scheme=https. Do
Cyrille Le Clerc wrote:
Thanks very much for the time you spend on my problem Christopher.
I use two connectors : one with secure=true and scheme=http ; another
with secured=true, scheme=https.
What is the requirement that scheme=http? You can actually use a
(non-secure) HTTP connector
Thank you for the clarification Mark.
Depending on where the session is created, you might be able to use a
filter to wrap your response and modify the secure attribute of any
cookies as they are added to the response.
I am sorry to bother you but I don't see how I could wrap the class
Hello,
I am interested in using the secure attribute of Tomcat
connectors for non https/ssl requests. However, the ssl only
JSESSIONID cookie mechanism currently relies on request.secure ==
true rather than on request.scheme == https (1). A confusion on
secure vs. https seems to come from
10 matches
Mail list logo