0 Replies Latest reply on Aug 2, 2012 5:48 AM by peterfry

    secure cookie and URL rewriting

    peterfry
    peterfry Aug 2, 2012 5:48 AM

      I have put

       

      <session-config>

      <cookie-config>

      <secure>true</secure>

      <http-only>true</http-only>

      </cookie-config>

      </session-config>

       

      into my web application's web.xml

       

      In our development environment  the HTTP communication is not secure. The cookies show as secure (using firecookie) but all of our URL's have been rewritten to include the servlet session id.

       

      Can some one explain the rational behind this? I always though that URL rewriting the cookie information was a bad idea.

       

      To be honest I was expecting the application to simply stop working in a non-HTTPS environment?

       

       

      http://stackoverflow.com/questions/5944757/url-rewriting-does-that-cause-a-security-issue

       

      And how does it play with mod_proxy_ajp.

      • 660 Views
      • Tags: