OK. Thanks to all. Joe -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, October 28, 2009 12:40 PM To: Tomcat Users List Cc: p...@pidster.com Subject: Re: SessionID cookie not secure over SSL
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joe, On 10/28/2009 11:55 AM, Joe Wallace wrote: > From Firefox Live HTTP Headers > > Set-Cookie: JSESSIONID=B4F06784FE4EAA0A7C9830BBF86D85B4; Path=/inetwork; > Secure > Location: https://216.94.100.154/inetwork/Start.jsp > > Hmmmm. That looks like it is secure Yup. > My filter is getting this. > > Cookie0 name= JSESSIONID > Cookie0 value= B4F06784FE4EAA0A7C9830BBF86D85B4 > Cookie0 isSecure = false Aah, I see the problem: the cookie /is/ secure, but the browser doesn't provide the "secure" flag when making a request, so the server has no idea whether the cookie is in secure mode or not. Rest assured that the browser will only send this cookie when using HTTPS. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkroc8YACgkQ9CaO5/Lv0PBDwwCff52b5PurVJoC36Tikz+0THoa y/sAmQHuRxFS3CWFPTFiNxjwYrejYq0E =UOKF -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
