approach that
is to do pattern matching (10.*) on request.remoteAddr to flag
RequestFacade.secure=true if the requests come from my secured network
area. This will let request.secure=false if request.scheme=http and
thus have non-secure JSESSIONID cookies.
I tested with a valve called
if request.scheme=http and
thus have non-secure JSESSIONID cookies.
I tested with a valve called SecuredRemoteAddressesValve (1) that I
precede of RemoteIpValve (2) to process the x-forwarded-for header to
find the real remoteAddr and this works fine.
That sounds like a good solution
Hello,
My usecase may have not been clear enough :
The internal over http connector : secure = true, scheme = http
doesn't behave has I would like for stateful requests because Tomcat
generates a secure JSESSIONID cookie even if the configured scheme is
http rather than https.
Due
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cyrille,
On 6/21/2009 6:52 AM, Cyrille Le Clerc wrote:
I am interested in using the secure attribute of Tomcat
connectors for non https/ssl requests. However, the ssl only
JSESSIONID cookie mechanism currently relies on request.secure ==
true
request.scheme=https?
I may have not been clear.
My need is the opposite : I want to have request.secure=true but
request.scheme=http.
However, if request.secure=true, whatever is the value of
request.scheme, Tomcat generates a secure JSESSIONID cookie. My
problem is that most http clients treat secure
scheme=https. Do you have some
portion of your application that relies on request.getScheme() returning
HTTP?
However, if request.secure=true, whatever is the value of
request.scheme, Tomcat generates a secure JSESSIONID cookie. My
problem is that most http clients treat secure cookie as ssl
you have some
portion of your application that relies on request.getScheme() returning
HTTP?
My application only checks request.secure=true.
I would like Tomcat to create non-secure JSESSIONID cookies (ie
non-ssl cookies) on the connector with secure=true and scheme=http.
Today
and still set scheme=https. Do you have some
portion of your application that relies on request.getScheme() returning
HTTP?
My application only checks request.secure=true.
I would like Tomcat to create non-secure JSESSIONID cookies (ie
non-ssl cookies) on the connector with secure=true
if request.scheme=http and
thus have non-secure JSESSIONID cookies.
I tested with a valve called SecuredRemoteAddressesValve (1) that I
precede of RemoteIpValve (2) to process the x-forwarded-for header to
find the real remoteAddr and this works fine.
Thanks very much for your help,
Cyrille
(1)
http://xebia
Hello,
I am interested in using the secure attribute of Tomcat
connectors for non https/ssl requests. However, the ssl only
JSESSIONID cookie mechanism currently relies on request.secure ==
true rather than on request.scheme == https (1). A confusion on
secure vs. https seems to come from
I believe if your session starts through HTTPS, the cookie will be
marked as secure and it won't be sent if the user switches to non-secure
HTTP.
Maybe my question is stupid, but, is it possible to browse a site on
HTTP and having just the JSESSIONID cookie sent on HTTPS to prevent
session
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
GF,
GF wrote:
| I believe if your session starts through HTTPS, the cookie will be
| marked as secure and it won't be sent if the user switches to non-secure
| HTTP.
|
| Maybe my question is stupid, but, is it possible to browse a site on
| HTTP and
Hello,
can you give me a link about setting up a secure JSessionID cookie? I
mean to let it pass over HTTPS and not HTTP.
Thank you.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
GF,
GF wrote:
| can you give me a link about setting up a secure JSessionID cookie? I
| mean to let it pass over HTTPS and not HTTP.
I believe if your session starts through HTTPS, the cookie will be
marked as secure and it won't be sent
14 matches
Mail list logo