RE: getting some cookie & security related issues.

Wed, 29 Nov 2017 23:53:05 -0800 

Hi Mark,

Please find my comments here & PFA diagram.

User --------> AWS --------> Tomcat
      (HTTPS)        (HTTPS)

User-HTTPS request----> AWS-ELB(https-443)  re-direct to tomcat connector
port-8080

What is the (expected) path when the user makes an HTTPS request? Is it:

User --------> AWS --------> Tomcat 
      (HTTPS)        (HTTPS)


Regards,
Naga Ramesh

-----Original Message-----
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Thursday, November 30, 2017 1:06 PM
To: Tomcat Users List
Subject: Re: getting some cookie & security related issues.

On 30/11/2017 06:53, Naga Ramesh wrote:
> Team,
> 
> We are facing some issues on security level testing time, so please 
> check the below mentioned issues and suggest me the changes on tomcat 
> level ASAP.
> 
>     1.      *Session Cookie do not contain secure attribute:* for this
>     what are all the changes I need to take are on tomcat level
> 
>     2.      *Site susceptible to Man-In-The-Middle HTTPS Downgrade
>     attack*: Here we have used the AWS ELB with SSL and mapped to the
>     tomcat instance, but in testing time instance went to http instead
>     of Https, so what are all the changes need to take care for this
>     issues on tomcat level.
> 
> Versions:
>                 Tomcat version:
tomcat-8.0.33
>                 Java Version:                     1.8.0_60-b27
> 
> And also attached the server.xml, web.xml & context file of tomcat/conf.

Thank you for providing the version and configuration details. To answer
your questions we need to know a little more information.

What is the (expected) path when the user makes an HTTP request? Is it:

User --------> AWS --------> Tomcat
      (HTTP)        (HTTP)


What is the (expected) path when the user makes an HTTPS request? Is it:

User --------> AWS --------> Tomcat
      (HTTPS)        (HTTP)

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to