hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a.r.dikh...@kpn.com
Subject RE: Problem maintaining sessions through HTTPS
Date Fri, 24 Oct 2003 13:24:17 GMT
> > We've been examining the headers, but the server doesn't seem to send
any
> > cookies (in http it does, but not in https). I was assuming this was
> > supposed to be done through some under-water process (I'm not very
familiar
> > with https), but the HttpState object does not contain any cookies in
its
> > cookie collection after the first request (in http it does). Is this
normal?
> 
> Some application servers (IBM Websphere 4.0.x for instance) can use SSL
session 
> ID instead of a session cookie to lookup HTTP session data on the server
side. 
> This certainly makes things more secure, as many exploits based on
stealing or 
> faking  the session cookie are rendered impossible.

I see, so the reason I don't see cookies in OC4J might be because they use
this method. Do you know if (and how) HttpClient supports this type of
session?

Thanks, Arjan

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message