"Raiden" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello, > > Anyone have any ideas if there is a solution to this problem in 4.1.12, or > are we better off reverting back to Tomcat 3.3.2 to restore the old > behavior of not making the sessionId cookie a secure cookie if the session > was created under https? >
Certainly in 4.1.12, there is no way to turn this off. If you care enough to submit a patch, this may change in 4.1.17+ (i.e. I'll seriously look at it). > Thanks in advance! > -Raiden > > > > On Mon, 25 Nov 2002, Raiden wrote: > > > Hello, > > > > Tomcat 3.3.2 has a secureCookie paramater that restores the old behavior > > of not making the sessionId cookie a secure cookie if it was created > > under https. Is there such a parameter in 4.1.12? > > > > I know there has been a thread debating the reasons as to why a > > session that is created under https is not available to http pages. > > > > However, I have an application that was designed for the old spec, in > > which a session was available to both http and https pages, regardless of > > which protocol the session was created under. > > > > I have avoided the security problem of hijacked sessions by making sure > > that sensitive pages are ALWAYS require https, and I drop a secure > > cookie of my own when someone logs in (the login page is under https of > > course), so that even if someone hijacks the http pages, they cannot > > hijack the https pages without passing back that cookie (whose contents I > > store in the session for verification). > > > > However, since upgrading to 4.1.12, I have realized that my application > > can no longer function, because I rely on people creating a session under > > https... and then accessing non-sensitive pages under http. But, in > > 4.1.12, the session is not available to subsequently accessed http > > pages... and I really don't want to start encrypting these non-sensitive > > pages. (But, I do want the user logged in before they can access these > > pages.) > > > > Does something like the secureCookie parameter exist in 4.1.12? > > > > Thanks, > > Raiden > > > > > > > > -- > > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
