users@glassfish.java.net

Re: How to shareJSESSIONID Session cookie between HTTP and HTTPS?

From: <glassfish_at_javadesktop.org>
Date: Wed, 07 May 2008 12:39:57 PDT

The upcoming GlassFish V2.1 release adds support for a new cookie property named "cookieSecure", which may be specified in sun-web.xml, as follows:

  <sun-web-app>
    <session-config>
      <cookie-properties>
        <property name="cookieSecure" value="[true|false|dynamic]" />
      </cookie-properties>
    </session-config>
  </sun-web-app>

with the following semantics:

- "true":
   Sets the Secure attribute of any JSESSION or JSESSIONIDSSO
   cookies associated with the web application to "true"

- "false":
   Sets the Secure attribute of any JSESSION or JSESSIONIDSSO
   cookies associated with the web application to "false"

- "dynamic":
   Has the Secure attribute of any JSESSION or JSESSIONIDSSO
   cookie associated with the web application inherit the
   security setting of the request that caused the cookie to be
   generated

The next release of the Servlet specification (Servlet 3.0) will add a standard mechanism for configuring session tracking cookies that will also cover the above configuration aspect. This is what the link you mentioned:

  http://wiki.glassfish.java.net/Wiki.jsp?page=SessionTrackingCookieConfig

is referring to.

Jan
[Message sent by forum member 'jluehe' (jluehe)]

http://forums.java.net/jive/thread.jspa?messageID=273213