* Yann Rouillard:
> Yes it could be seen that way, as we discussed with Emmanuel during the
> Paris BSP today, but in fact it's even better, I checked and there is no
> problem with Tomcat as the Secure flag as it already automatically set
> with the default configuration:
> - if Tomcat is accessed through the HTTPS connector, all cookies are
> secure thanks to the connector Secure option which is set by default,
> - if Tomcat is accessed through the AJP13 connector, Apache (or other
> webserver) transfers through the AJP protocol the information wether the
> connexion was through SSL or not, Tomcat uses it to set the Secure flag
Can you check that it's possible to force the secure flag with an HTTP
connector? Some load-balancer-based setups need this (although direct
HTTP connections from a browser will not work, obviously).
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.