Joe Wallace wrote:
I am using session cookies to track sessions. I am used to Jrun where you
would specifically set the cookie to be sent only over SSL or https. This was
not the default setting. I want users to connect to my web site using https
then they might click a link on one of my web pages whose protocal is not
secure. What is the behavior of the JSESSIONID cookie in this situation.
Joe,
1) assuming your setup is
browsers <--> IIS <--> Tomcat
A B
which portion(s) is(/are) using HTTPS ? A ? B ? both ?
2) "secure" is an attribute of a cookie, written inside of the cookie by
the server creating the cookie in the first place.
If set, it has as consequence that a browser will only send it back to
the original server with subsequent requests, if these subsequent
requests happen over a HTTPS connection.
In other words, if you set the secure attribute on the JSESSIONID
cookie, because for instance your initial request happens over HTTPS,
then you switch to a non-HTTPS part of the site, the browser is probably
no longer going to send this cookie back to the server.
In other words, you will, for practical purposes, "lose your session".
Not so, gurus ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
