Cyrille Le Clerc wrote: > Thanks very much for the time you spend on my problem Christopher. > > I use two connectors : one with secure=true and scheme=http ; another > with secured=true, scheme=https. > >> What is the requirement that scheme=http? You can actually use a >> (non-secure) HTTP connector and still set scheme=https. Do you have some >> portion of your application that relies on request.getScheme() returning >> "HTTP"? > > My application only checks request.secure=true. > > I would like Tomcat to create non-secure JSESSIONID cookies (ie > non-ssl cookies) on the connector with secure=true and scheme=http. > > Today, if request.secure=true and request.scheme=http then Tomcat > creates a secure JSESSIONID cookie that is ignored by http clients > like Apache Http Client because these clients associates secure > cookies with HTTPS. > > The modification would be that Tomcat to rely on request.scheme=https > to create secure JSESSIONID cookies instead of relying on > request.secure=true as it is done today. It would require one line of > change on org.apache.catalina.connector.Request: > > protected void configureSessionCookie(Cookie cookie) { > ... > + if ("https".equals(getScheme())) { > - if (isSecure()) { > cookie.setSecure(true); > } > } > > >> If HTTPS is not being used /at all/, then why do you want to claim that >> it is secure? If you aren't using SSL, then not having SSL cookies >> shouldn't be a problem, right? > > My problem is to have SSL cookies for HTTP requests : if > request.scheme=http and request.secure=true, then Tomcat creates a > secure JSESSIONID cookie (ie an SSL cookie) when I would like > non-secured (ie non-secured) cookies.
The Tomcat code will not be changed to behave in this way. The secure attribute is intended for use in architectures like: client <--https--> httpd <--http/ajp--> tomcat Depending on where the session is created, you might be able to use a filter to wrap your response and modify the secure attribute of any cookies as they are added to the response. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org