https://issues.apache.org/bugzilla/show_bug.cgi?id=47554
--- Comment #3 from Keiichi Fujino <fujino.keii...@oss.ntt.co.jp> 2009-07-27 02:57:54 PST --- I reproduced this case. [configuration] Clustering by TomcatA and TomcatB Both TomcatA and TomcatB set <Context useHttpOnly="true" />. Both TomcatA and TomcatB set JvmRouteBinderValve. [Test] accesses TomcatA. (create session.) accesses TomcatB. (session id is changed by JvmRouteBinderValve. ) At the above test, value of the Set-Cookie header was acquired by using RequestDumperValve. It is as follows. [Before changing session ID] ... Jul 27, 2009 6:39:55 PM org.apache.catalina.valves.RequestDumperValve invoke INFO: header=Set-Cookie=JSESSIONID=327B246DA102027AB0860AE512169236.ajp13w; Path=/test; HttpOnly ... This means HttpOnly is set. [After changing session ID by JvmRouteBinderValve] ... Jul 27, 2009 6:40:05 PM org.apache.catalina.valves.RequestDumperValve invoke INFO: header=Set-Cookie=JSESSIONID=327B246DA102027AB0860AE512169236.ajp13w2; Path=/test ... This means HttpOnly is not set. Therefore, When session ID is changed by JvmRouteBinderValve, HttpOnly is not set to the Set-Cookie header. Best Regards. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
