This was discussed a few times in the past and there might be a bugzilla report. If you submit a patch - it might have a chance at being committed - but the past discussions tried to discourage the proposed functionality.
A workaround might be to "RESET" (that is, resend) the cookie without the SECURE flag turned on.
-Tim
[EMAIL PROTECTED] wrote:
Hello configuration gurus,
I recently upgraded to Tomcat 5.0.19, and I wonder if there is a solution
to this problem yet. The problem is that in the Tomcat 4 (and apparently
Tomcat 5) series, tomcat forces it so that if a session starts under
https, then the session cookie is FORCED to be secure.
I understand that this is to protect people from having hijacked sessions
as a general case. However, there are some of us that manage this on our
own (sending our own secure cookie that we use to make sure https pages
aren't hijacked), and we would like our session cookie to be available to
http AND https, as we move back and forth through those pages depending
on the sensitivity of the content.
If the session is created under http, then it is available to http and
https. The problem only happens when the session is created under https.
And, unfortunately, my app has quite a few places where the session NEEDS
to be created under https, but needs to be available to http and https
pages.
This is EXACTLY what I just figured out was happening to me under 5.0.16; in my app, it looked like some session information wasn't getting passed. My solution was to get the secure cookie, make in "un-secure", and put it back so when my app switched to http after https authentication, that cookie would be found. But then, I'm fortunate in that there's only one place in my code where this happens, so I had a minimal amount of code to change. It would be nice if an https-generated cookie was available to both http and https on a configurable basis.
-- Lynn Hollerman.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
