Bug#769682: Secure and HttpOnly flags are not set for cookies with Jenkins on Tomcat
Florian Weimer
fw at deneb.enyo.de
Mon Nov 17 21:24:25 UTC 2014
* Yann Rouillard:
> Yes it could be seen that way, as we discussed with Emmanuel during the
> Paris BSP today, but in fact it's even better, I checked and there is no
> problem with Tomcat as the Secure flag as it already automatically set
> with the default configuration:
>
> - if Tomcat is accessed through the HTTPS connector, all cookies are
> secure thanks to the connector Secure option which is set by default,
> - if Tomcat is accessed through the AJP13 connector, Apache (or other
> webserver) transfers through the AJP protocol the information wether the
> connexion was through SSL or not, Tomcat uses it to set the Secure flag
> accordingly.
Can you check that it's possible to force the secure flag with an HTTP
connector? Some load-balancer-based setups need this (although direct
HTTP connections from a browser will not work, obviously).
More information about the pkg-java-maintainers
mailing list