Cyrille Le Clerc wrote: > Thank you for the clarification Mark. > >> Depending on where the session is created, you might be able to use a >> filter to wrap your response and modify the secure attribute of any >> cookies as they are added to the response. > > I am sorry to bother you but I don't see how I could wrap the class > o.a.c.connector.Response whose method addCookieInternal(cookie) is > called by o.a.c.connector.Request.doGetSession(boolean) to create the > JSESSIONID cookie.
Sorry, my bad. It was late and I wasn't thinking clearly. > If all this is to complex, I will fall back to another approach that > is to do pattern matching (10.*) on request.remoteAddr to flag > RequestFacade.secure=true if the requests come from my secured network > area. This will let request.secure=false if request.scheme=http and > thus have non-secure JSESSIONID cookies. > I tested with a valve called SecuredRemoteAddressesValve (1) that I > precede of RemoteIpValve (2) to process the x-forwarded-for header to > find the real remoteAddr and this works fine. That sounds like a good solution to me. Valves were the other area I was going to suggest you investigate. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org