http/https jsessionid - issue with Apache/Tomcat

[Gerald Schöffel <ta...@online.de>]

Hi !

I have the following problem:

Inside the direct link listener of my login page (scheme https) I validate the user input and create an visit ASO an success.

So a session is created and stored via a cookie on the browser.

When leaving the https scheme, the jsessionid is lost, because the cookie is marked as https-only.

While I understand this behaviour (security reasons) I do not wan't to disable session-cookies in apache. I want to keep the url tidy :)

So is there a way to tell Apache (forwaring to Tomcat via JKMount) to treat https sessionid as 'unsafe' and store them in an http-readable cookie ?

I take care of the sessionid-hijacking for myself - so there is no need for Apache todo so.

Thank you in advance ! 

Gerald

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org