https://bz.apache.org/bugzilla/show_bug.cgi?id=64921
Mark Thomas changed:
What|Removed |Added
Resolution|--- |FIXED
Status|NEW
https://bz.apache.org/bugzilla/show_bug.cgi?id=64921
--- Comment #6 from Andreas Kurth ---
https://github.com/apache/tomcat/pull/377
Windows smoke test failed due to an unrelated test failure.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64921
--- Comment #5 from Christopher Schultz ---
That sounds good; I think there isn't any more configuration necessary, then
since the Cookie configuration already has what it needs.
I love one-liner fixes.
Andreas, would you care to prepare a
https://bz.apache.org/bugzilla/show_bug.cgi?id=64921
--- Comment #4 from Mark Thomas ---
You should be able to do this in the Valve:
SessionCookieConfig scc =
request.getContext().getServletContext().getSessionCookieConfig()
Then the logic used when the session cookie is created is:
https://bz.apache.org/bugzilla/show_bug.cgi?id=64921
--- Comment #3 from Christopher Schultz ---
Yes, I was thinking about some permutation of that.
--
You are receiving this mail because:
You are the assignee for the bug.
-
https://bz.apache.org/bugzilla/show_bug.cgi?id=64921
--- Comment #2 from Andreas Kurth ---
Setting "Secure" unconditionally would raise another issue: Chrome doesn't
accept the Secure flag when not run under SSL. A possible – still naive –
implementation might be:
if (request.isSecure()) {
https://bz.apache.org/bugzilla/show_bug.cgi?id=64921
--- Comment #1 from Christopher Schultz ---
Hmm. It's not possible to know whether or not the browser thinks the cookie
should be "secure" since the client doesn't send the "secure" flag to the
server (it's a one-way flag, from server ->
