You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Gerald Schöffel <ta...@online.de> on 2006/06/03 01:29:58 UTC
http/https jsessionid - issue with Apache/Tomcat
Hi !
I have the following problem:
Inside the direct link listener of my login page (scheme https) I validate the user input and create an visit ASO an success.
So a session is created and stored via a cookie on the browser.
When leaving the https scheme, the jsessionid is lost, because the cookie is marked as https-only.
While I understand this behaviour (security reasons) I do not wan't to disable session-cookies in apache. I want to keep the url tidy :)
So is there a way to tell Apache (forwaring to Tomcat via JKMount) to treat https sessionid as 'unsafe' and store them in an http-readable cookie ?
I take care of the sessionid-hijacking for myself - so there is no need for Apache todo so.
Thank you in advance !
Gerald
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org