I have put
<session-config> <cookie-config> <secure>true</secure> <http-only>true</http-only> </cookie-config> </session-config> into my web application's web.xml In our development environment the HTTP communication is not secure. The cookies show as secure (using firecookie) but all of our URL's have been rewritten to include the servlet session id. Can some one explain the rational behind this? I always though that URL rewriting the cookie information was a bad idea. To be honest I was expecting the application to simply stop working in a non-HTTPS environment?
http://stackoverflow.com/questions/5944757/url-rewriting-does-that-cause-a-security-issue
And how does it play with mod_proxy_ajp.