Our application redirects users to the login page when they try to access a protected resource. By doing so, it saves the original request in a session, and returns the session ID as a cookie. Even though we have the connect set as
<Connector protocol="HTTP/1.1" SSLEnabled="false"
scheme="https" secure="true" clientAuth="false"
in the /opt/jboss/server/myapp/deploy/jbossweb.sar/server.xml file, jsessionID cookie is still NOT secure.
I have another test server with the same server file setting but the cookie is secure. It just confuses me very much. what are the contributing factors that sets the 'secure' attribute of the jsessionID cookie? Can someone please give me some hint?
Thank you so much for shedding some light onto this.