Hey,
I recently discovered that the session id cookie created by tomcat is
setSecure(true) by the HttpResponseBase:
if (hreq.isSecure())
cookie.setSecure(true);
addCookie(cookie);
So, it looks like it is set secure, and it seems my browser respects that,
as it only sends the JSESSIONID cookie to my HTTPS server, and not my HTTP
server when it is created on HTTPS.
But, how come this JSP code says the cookie is NOT secure???
<%
Cookie[] cookies = request.getCookies();
for ( int i = 0; i < cookies.length; i++ )
{
out.println( "name = " + cookie.getName() + "<br>" );
out.println( "secure = " + cookie.getSecure() + "<br>" );
out.println("<P>");
}
%>
The JESSESIONID cookie is not secure, even though I know it _must_ be!
What's up with that?
Ian.
