Secure attribute of Catalina SSL Connector(APR)

[Teppei Yamada <te...@silk.co.jp>]

Hi,


I don't want every session cookies to be secure cookies, so I
intentionally set secure attribute "false" in server,xml's SSL connector
tag.
(Actually tomcat native is compiled with OpenSSL and LD_LIBRARY_PATH is
set, so the SSL connector is using APR in my case.)
But even though doing above, catalina.connector.Request.isSecure() is
always "true" when Tomcat creating session cookie internally.
How can I turn every session cookie's secure attribute off ?
(Testing with Tomcat7.0.26 and Sun JDK1.6.31 in x86_64 Linux Box)

Thanks,
Teppei



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Secure attribute of Catalina SSL Connector(APR)

[Pid <pi...@pidster.com>]

On 01/04/2012 07:37, Teppei Yamada wrote:
> Hi,
> 
> 
> I don't want every session cookies to be secure cookies, so I
> intentionally set secure attribute "false" in server,xml's SSL connector
> tag.

May I ask why?


> (Actually tomcat native is compiled with OpenSSL and LD_LIBRARY_PATH is
> set, so the SSL connector is using APR in my case.)
> But even though doing above, catalina.connector.Request.isSecure() is
> always "true" when Tomcat creating session cookie internally.

That attribute refers to the request, not the cookie, so if you're using
an SSL enabled connector it /should/ return true.


> How can I turn every session cookie's secure attribute off ?
> (Testing with Tomcat7.0.26 and Sun JDK1.6.31 in x86_64 Linux Box)

Again, why would you want to do this when the cookie is generated from a
secure connection?


p


> Thanks,
> Teppei
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


-- 

[key:62590808]