Hello, My usecase may have not been clear enough :
The "internal over http connector : secure = true, scheme = http" doesn't behave has I would like for stateful requests because Tomcat generates a secure JSESSIONID cookie even if the configured scheme is "http" rather than "https". Due to this secure JSESSIONID cookie for non SSL http requests, clients like "Apache Http Client" won't retransmit the cookie for between requests. I hope my usecase is clearer. Cyrille On Sun, Jun 21, 2009 at 12:52 PM, Cyrille Le Clerc <cyrille.lecl...@pobox.com> wrote: > > Hello, > > I am interested in using the "secure" attribute of Tomcat > connectors for non https/ssl requests. However, the "ssl only" > JSESSIONID cookie mechanism currently relies on "request.secure == > true" rather than on "request.scheme == https" (1). A confusion on > "secure vs. https" seems to come from the fact that "cookie.secure == > true" is interpreted by most http clients as "cookie.sslOnly == true". > Due to this behavior, I don't see how I can use "connector.secure = > true" without "connector.scheme = https". > > Could we imagine an evolution of Tomcat to generate secure session > cookies if "request.scheme == https" rather than on "request.secure == > true" ? I would be very pleased to propose a patch. > > My usecase is : an application receives requests from both the > internet and from other servers of my data center (same trusted zone). > The requests coming from the internet may use http or https when > internal request use http (for security and CPU consumption reasons). > The application's web services require a secure channel (https from > the internet or http from the trusted zone). > If Tomcat handled secure session cookies on "request.scheme == > https" rather than "request.secure == true", I would handle this with > three connectors thanks to the nuance between the "secure" and > "scheme" attributes of the connectors : > - external over http connector : secure = false, scheme = http > - external over https/ssl connector : secure = true, scheme = https > - internal over http connector : secure = true, scheme = http > Today, I handle this in the application wrapping the Http Servlet > Request to declare "secure" requests whose remoteAddr matches the 10.* > block. > > Cyrille > > (1) See > http://fisheye6.atlassian.com/browse/tomcat/trunk/java/org/apache/catalina/connector/Request.java?r=HEAD#l2367 > (2) web browsers, Apache Commons Http client, etc > > -- > Cyrille Le Clerc > cyrille.lecl...@pobox.com clecl...@xebia.fr > http://blog.xebia.fr --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
