* Yann Rouillard:

> Yes it could be seen that way, as we discussed with Emmanuel during the
> Paris BSP today, but in fact it's even better, I checked and there is no
> problem with Tomcat as  the Secure flag as it already automatically set
> with the default configuration:
>   - if Tomcat is accessed through the HTTPS connector, all cookies are
> secure thanks to the connector Secure option which is set by default,
>   - if Tomcat is accessed through the AJP13 connector, Apache (or other
> webserver) transfers through the AJP protocol the information wether the
> connexion was through SSL or not, Tomcat uses it to set the Secure flag
> accordingly.

Can you check that it's possible to force the secure flag with an HTTP
connector?  Some load-balancer-based setups need this (although direct
HTTP connections from a browser will not work, obviously).

This is the maintainer address of Debian's Java team
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to