Hi Mark, Please find my comments here & PFA diagram.
User --------> AWS --------> Tomcat (HTTPS) (HTTPS) User-HTTPS request----> AWS-ELB(https-443) re-direct to tomcat connector port-8080 What is the (expected) path when the user makes an HTTPS request? Is it: User --------> AWS --------> Tomcat (HTTPS) (HTTPS) Regards, Naga Ramesh -----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, November 30, 2017 1:06 PM To: Tomcat Users List Subject: Re: getting some cookie & security related issues. On 30/11/2017 06:53, Naga Ramesh wrote: > Team, > > We are facing some issues on security level testing time, so please > check the below mentioned issues and suggest me the changes on tomcat > level ASAP. > > 1. *Session Cookie do not contain secure attribute:* for this > what are all the changes I need to take are on tomcat level > > 2. *Site susceptible to Man-In-The-Middle HTTPS Downgrade > attack*: Here we have used the AWS ELB with SSL and mapped to the > tomcat instance, but in testing time instance went to http instead > of Https, so what are all the changes need to take care for this > issues on tomcat level. > > Versions: > Tomcat version: tomcat-8.0.33 > Java Version: 1.8.0_60-b27 > > And also attached the server.xml, web.xml & context file of tomcat/conf. Thank you for providing the version and configuration details. To answer your questions we need to know a little more information. What is the (expected) path when the user makes an HTTP request? Is it: User --------> AWS --------> Tomcat (HTTP) (HTTP) What is the (expected) path when the user makes an HTTPS request? Is it: User --------> AWS --------> Tomcat (HTTPS) (HTTP) Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org