Hi,
I am trying to allow session cookies that created via https to retain the session when
stepping down to http, however by default a new session will be made. It seems that a
session made under http will sustain if you step up to https but not the reverse. I
read in the following document that in tomcat 3.3.2 you can allow a session to be
valid via http even if it was created via https:
http://jakarta.apache.org/tomcat/tomcat-3.3-doc/serverxml.html#SessionId
secureCookie
[Tomcat 3.3.2] If true, then Tomcat will mark the Session ID cookie as as
"Secure" if the session is created over a SSL connection. A conforming browser will
only send the cookie back to a page that is using SSL. The effect is that if a session
is created from a SSL page, than it is not available to any non-SSL pages.
<SessionId cookiesFirst="true" noCookies="false" />
<SessionId noCookies="true" />
<SessionId noCookies="true" checkSSLSessionId="true"/>
I am using tmocat 4.1.18 and I would like to implement this as it will greatly simply
a section of my site. I have 2 questions regarding it though. 1 Can anyone tell me how
this can be imlpemented in 4.1.18 to being with :-) (I can't find any docs). 2 Does
this open up a huge security hole that I am not seeing. I have heard things about
session hijacking?
Many thanks
regards,
Dave
