On Mon, Nov 2, 2009 at 5:03 AM, Pid wrote:
> On 02/11/2009 10:06, S Arvind wrote:
>
>> Hi Tomcat developers,
>>
>>Bascially my requirement is ability to control the session
>> sharing in browser. Till now we maintained each application as differnet
>> context but pointing to same doc-
[quickie synopsis]
A request arriving on a connector configured for scheme=https and with
secure=true is generating absolute redirect urls with scheme=https and port
= 80 (https://localhost:80/path.html) because incoming request was on 443
and didn't have an explicit port in the Host header.
[/quic
the incorrect default of 80 when no port is specified in the url.
On Mon, Oct 12, 2009 at 9:59 PM, Sam Gendler wrote:
> [quickie synopsis]
> A request arriving on a connector configured for scheme=https and with
> secure=true is generating absolute redirect urls with scheme=https and po
momentarily.
On Tue, Oct 13, 2009 at 1:00 AM, Sam Gendler wrote:
> That looks like it will work, but it doesn't explain why the connector
> would think port 80 was appropriate. I could see port 8090 showing up, but
> given that the scheme is https and there was no port number in t
? It just seems
like a bug to me. It does look like proxyPort can be used to force it to
443, though, so that will work.
On Tue, Oct 13, 2009 at 12:19 AM, Peter Crowther <
peter.crowt...@melandra.com> wrote:
> 2009/10/13 Sam Gendler :
> > That method uses
> > request.getSc
>
>
>
> No. That is by design. The session ID is almost as valuable as the
> password. If you need SSL to protect the password, you should use SSL to
> protect the session ID.
>
>
Well, that's fairly application specific, but the argument has also been
done to death elsewhere. Workaround is alread
