Thanks for your response Christopher, > > Could we imagine an evolution of Tomcat to generate secure session > > cookies if "request.scheme == https" rather than on "request.secure == > > true" ? I would be very pleased to propose a patch. > > Do you have a reason to set request.secure=false while request.scheme=https?
I may have not been clear. My need is the opposite : I want to have request.secure=true but request.scheme=http. However, if request.secure=true, whatever is the value of request.scheme, Tomcat generates a secure JSESSIONID cookie. My problem is that most http clients treat secure cookie as "ssl only" and thus, my JSESSIONID cookie is ignored. I face this problem with Apache Http Client for example. > > > My usecase is : an application receives requests from both the > > internet and from other servers of my data center (same trusted zone). > > The requests coming from the internet may use http or https when > > internal request use http (for security and CPU consumption reasons). > > The application's web services require a secure channel (https from > > the internet or http from the trusted zone). > > What is the danger of saying that request.scheme=https in your case? I would prefer to have request.scheme with the value that was used by the http client in case an application uses the scheme. Thanks for your time, Cyrille --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org