https://issues.apache.org/bugzilla/show_bug.cgi?id=24739
--- Comment #6 from Mark Thomas <ma...@apache.org> 2011-02-22 12:46:02 EST --- (In reply to comment #5) > How can you say there are no valid use cases? Virtually EVERY ecommerce site > on the internet supports this behavior. No they don't. At least the securely written ones don't. I thoroughly recommend taking a detailed look at how Amazon does this - or at least as much as can be deduced from looking at the HTTP headers from the client side. There is more to it than a single session. Amazon has multiple cookies. I see 5 for that don't have the secure flag set and one that does. The non-secure cookies are what allows Amazon to determine who you are when you connect over http but you can't access any security sensitive information (past orders, addresses, credit card details etc). For that you have to use https and that requires authentication or the presence of a valid secure cookie. The Amazon application is using a far more sophisticated model than the single session with a single cookie model provided by the Servlet specification. If you want that sort of model as used by Amazon and others then you'll need to either code it yourself or use a framework that provides it. With respect to this particular bug the primary concern of the Tomcat committers is security. If a session is created over https then it must remain over https in order to remain secure. As I have said previously, if a valid use case for creating a non-secure session cookie over https that does not compromise security is presented then this will be re-considered but until such time it remains WONTFIX. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
