The "secureCookie" attribute was added to 3.3.2 only to allow backwards compatibility with 3.3.1. Like Tomcat 4 and higher, the default is 'true'. It's a pretty small patch: http://cvs.apache.org/viewcvs/jakarta-tomcat/src/share/org/apache/tomcat/mod ules/session/SessionId.java.diff?r1=1.20&r2=1.21
if you just want to add the feature to 3.3.1. Like Yoav said, TC 4 and higher always uses secure cookies. ----- Original Message ----- From: "Shapira, Yoav" <[EMAIL PROTECTED]> To: "Tomcat Developers List" <[EMAIL PROTECTED]> Sent: Wednesday, November 26, 2003 8:37 AM Subject: RE: Question on Tomcat 4 Howdy, Tomcat 4 and later are so different from 3.x. I suggest you do the migration, if only for the speed and feature increases. I don't think there's an "attribute" called "secureCookie" in tomcat4, as there is no "un-secure" mode. Perhaps a tomcat 3 guru like Senor Barker can fill in more information... Yoav Shapira Millennium ChemInformatics >-----Original Message----- >From: Eduardo Campoy [mailto:[EMAIL PROTECTED] >Sent: Wednesday, November 26, 2003 11:33 AM >To: [EMAIL PROTECTED] >Cc: Jason Rivard >Subject: Question on Tomcat 4 > >Hello, > >I am using Tomcat 3.3.1 with Internet Web Application and after doing a >ETHICAL HACKING TEST, they discovered a problem in Tomcat session cookie >(JSESSIONID). >After reading Tomcat 3.3.2 manual , there is a atribute called >"secureCookie" that resolve my issue. BUT tomcat 3.3.2 is not released >yet. >My question is "Does this atribute called "secureCookie" exist in >TOMCAT 4 ?" > >Thanks in advanced > > > >Eduardo Campoy >Technology Account Manager >Novell, THE leading provider of net business solutions >Tel - 55 11 3345-3938 >Cel - 55 11 9232-7456 >AIM - ecampoy sao >MSN - [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
