Description of problem: from [http://issues.apache.org/bugzilla/show_bug.cgi?id=41217] """When using the SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server. As the content of the SSO-Cookie is confidential (it will lead to automatically logged in sessions in other contexts - https or non-https) this should never happen. """ Also according to the asf bz the upstream versions before 5.5.21 are vulnerable.
This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html