Thanks very much for the time you spend on my problem Christopher.
I use two connectors : one with secure=true and scheme=http ; another
with secured=true, scheme=https.
> What is the requirement that scheme=http? You can actually use a
> (non-secure) HTTP connector and still set scheme=https. Do you have some
> portion of your application that relies on request.getScheme() returning
> "HTTP"?
My application only checks request.secure=true.
I would like Tomcat to create non-secure JSESSIONID cookies (ie
non-ssl cookies) on the connector with secure=true and scheme=http.
Today, if request.secure=true and request.scheme=http then Tomcat
creates a secure JSESSIONID cookie that is ignored by http clients
like Apache Http Client because these clients associates secure
cookies with HTTPS.
The modification would be that Tomcat to rely on request.scheme=https
to create secure JSESSIONID cookies instead of relying on
request.secure=true as it is done today. It would require one line of
change on org.apache.catalina.connector.Request:
protected void configureSessionCookie(Cookie cookie) {
...
+ if ("https".equals(getScheme())) {
- if (isSecure()) {
cookie.setSecure(true);
}
}
> If HTTPS is not being used /at all/, then why do you want to claim that
> it is secure? If you aren't using SSL, then not having SSL cookies
> shouldn't be a problem, right?
My problem is to have SSL cookies for HTTP requests : if
request.scheme=http and request.secure=true, then Tomcat creates a
secure JSESSIONID cookie (ie an SSL cookie) when I would like
non-secured (ie non-secured) cookies.
> > I would prefer to have request.scheme with the value that was used by
> > the http client in case an application uses the scheme.
>
> In that case, "scheme" should be honestly set to the scheme being used
> by the <Connector>, which ought to be known in advance.
Agreed, it is what I do.
Thanks again for your time,
Cyrille
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
