-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cyrille,
On 6/21/2009 6:52 AM, Cyrille Le Clerc wrote: > I am interested in using the "secure" attribute of Tomcat > connectors for non https/ssl requests. However, the "ssl only" > JSESSIONID cookie mechanism currently relies on "request.secure == > true" rather than on "request.scheme == https" (1). Note that setting the request.scheme="https" affects only the value returned from request.getScheme() and request.secure only affects the return value of request.isSecure(). > Due to this behavior, I don't see how I can use "connector.secure = > true" without "connector.scheme = https". This is probably true, but I can see a use case where you want to treat some communication (say, localhost) as secure even when HTTP is being used. > Could we imagine an evolution of Tomcat to generate secure session > cookies if "request.scheme == https" rather than on "request.secure == > true" ? I would be very pleased to propose a patch. Do you have a reason to set request.secure=false while request.scheme=https? > My usecase is : an application receives requests from both the > internet and from other servers of my data center (same trusted zone). > The requests coming from the internet may use http or https when > internal request use http (for security and CPU consumption reasons). > The application's web services require a secure channel (https from > the internet or http from the trusted zone). What is the danger of saying that request.scheme=https in your case? > If Tomcat handled secure session cookies on "request.scheme == > https" rather than "request.secure == true", I would handle this with > three connectors thanks to the nuance between the "secure" and > "scheme" attributes of the connectors : - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAko/21sACgkQ9CaO5/Lv0PDuLwCgqX33PsAAaMQzXYw5kf6wRScZ HQsAn0f0Cz6i2BjUpmiy3aJ0ZST1ZNxI =yacH -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
