Hi Florian,

Yes it could be seen that way, as we discussed with Emmanuel during the
Paris BSP today, but in fact it's even better, I checked and there is no
problem with Tomcat as  the Secure flag as it already automatically set
with the default configuration:

  - if Tomcat is accessed through the HTTPS connector, all cookies are
secure thanks to the connector Secure option which is set by default,
  - if Tomcat is accessed through the AJP13 connector, Apache (or other
webserver) transfers through the AJP protocol the information wether the
connexion was through SSL or not, Tomcat uses it to set the Secure flag

So the upstream patch perfectly solves the issue and I was able to apply it
successfully on the current package source:


2014-11-15 18:21 GMT+01:00 Florian Weimer <f...@deneb.enyo.de>:

> > There is already an upstream bug for this problem located at this url:
> > https://issues.jenkins-ci.org/browse/JENKINS-25019
> > with a proposed fix that only adresses the HttpOnly issue for Tomcat.
> Why isn't the missing “secure” flag a Tomcat configuration issue?
This is the maintainer address of Debian's Java team
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to