No browser that I know of actually sends this information back to the server (IMHO, A Good Thing :). Therefore Tomcat has no way of knowing what the browser thinks of the cookie settings, and is only telling you what it knows.
"Zabel, Ian" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hey, > > I recently discovered that the session id cookie created by tomcat is > setSecure(true) by the HttpResponseBase: > > if (hreq.isSecure()) > cookie.setSecure(true); > addCookie(cookie); > > So, it looks like it is set secure, and it seems my browser respects that, > as it only sends the JSESSIONID cookie to my HTTPS server, and not my HTTP > server when it is created on HTTPS. > > But, how come this JSP code says the cookie is NOT secure??? > <% > Cookie[] cookies = request.getCookies(); > for ( int i = 0; i < cookies.length; i++ ) > { > out.println( "name = " + cookie.getName() + "<br>" ); > out.println( "secure = " + cookie.getSecure() + "<br>" ); > out.println("<P>"); > } > %> > > The JESSESIONID cookie is not secure, even though I know it _must_ be! > What's up with that? > > Ian. > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
