As the person that implemented the 3.3.2 behavior documented below, I'm more than willing to review a patch to 4.1.x that would implement the same behavior. I just can't bring myself to believe that it's that big of an issue if it's not worth anyone's time to construct a patch.
"David Hemingway" <[EMAIL PROTECTED]> wrote in message 031c01c2b7ac$a6f50a90$0b7bfea9@w9b1jqmyjsd9ds1">news:031c01c2b7ac$a6f50a90$0b7bfea9@w9b1jqmyjsd9ds1... Hi, I am trying to allow session cookies that created via https to retain the session when stepping down to http, however by default a new session will be made. It seems that a session made under http will sustain if you step up to https but not the reverse. I read in the following document that in tomcat 3.3.2 you can allow a session to be valid via http even if it was created via https: http://jakarta.apache.org/tomcat/tomcat-3.3-doc/serverxml.html#SessionId secureCookie [Tomcat 3.3.2] If true, then Tomcat will mark the Session ID cookie as as "Secure" if the session is created over a SSL connection. A conforming browser will only send the cookie back to a page that is using SSL. The effect is that if a session is created from a SSL page, than it is not available to any non-SSL pages. <SessionId cookiesFirst="true" noCookies="false" /> <SessionId noCookies="true" /> <SessionId noCookies="true" checkSSLSessionId="true"/> I am using tmocat 4.1.18 and I would like to implement this as it will greatly simply a section of my site. I have 2 questions regarding it though. 1 Can anyone tell me how this can be imlpemented in 4.1.18 to being with :-) (I can't find any docs). 2 Does this open up a huge security hole that I am not seeing. I have heard things about session hijacking? Many thanks regards, Dave -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
