We migrated our application from JBoss 5 to JBoss6 and one of the main reasons for this is to make use of the new features of servlet 3.0. Everything works fine apart from one new feature of JBoss 6 and servlet 3.0: setting the session cookie to only be transferred through secure channel even if the request was made through plain HTTP. This is a very important security feature for us and is achieved by adding
<secure>true</secure>
in web.xml. This is part of our web.xml:
<session-config>
<session-timeout>25</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
When we remove the
<secure>true</secure>
everything works fine. When it is there, there is a new jsessionid generated for each request even when being on a secure page (HTTPS) or in an unsecured page (HTTP). Also, the login does not work since after login with secure credentials the user is redirected back to the login page.
I suppose this might be also an issue with Tomcat 7 since it also uses the servlet 3.0 spec. Any advice would be much appreciated.
Regards