https://bz.apache.org/bugzilla/show_bug.cgi?id=63771
Bug ID: 63771 Summary: A way to strip 'Secure' From the cookie Product: Tomcat 8 Version: 8.5.46 Hardware: PC OS: Linux Status: NEW Severity: enhancement Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: a...@gentoo.org Target Milestone: ---- Hello, we have the following situations: nginx listen on port 80 and 443, and there is a proxy_pass to tomcat. Tomcat is not on the same machine so the traffic between nginx and tomcat is encrypted by using tomcat on ssl. We need to leave nginx listen on 80 because there are some embebbed devices that do not support SSL, so they will fail on 443. The issue, for us, is that if you try to connect to 80 with a browser, the 'set-cookie' header contains 'Secure' added by tomcat, so it will fail in plain text. We were able to fix the issue as described here: https://serverfault.com/questions/853228/nginx-reverse-proxy-remove-secure-from-cookies Would be great to have a feature to strip the 'Secure' object added to the header (unless I failed to search and already exists) Thanks in advance -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org