RE: how to maintain session between HTTP and HTTPS?

Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 95827 invoked from network); 14 Dec 2000 17:15:39 -0000 Received: from unknown (HELO calex01.secretshopnet.com) (216.94.7.66) by locus.apache.org with SMTP; 14 Dec 2000 17:15:39 -0000 Received: by calex01.secretshopnet.com with Internet Mail Service (5.5.2650.21) id ; Thu, 14 Dec 2000 10:14:34 -0700 Message-ID: <79ED1734AFDDD311B11600D0B74721B18A552E@calex01.secretshopnet.com> From: Michael Kuz To: "'tomcat-dev@jakarta.apache.org'" Subject: RE: how to maintain session between HTTP and HTTPS? Date: Thu, 14 Dec 2000 10:14:32 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C065F1.54406E2A" X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C065F1.54406E2A Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Are you sharing sessions over multiple Tomcat instances/boxes? (ie: does HTTP and HTTPS both point to same instance of Tomcat?) > -----Original Message----- > From: Weigen Liang [mailto:weigenliang@yahoo.com] > Sent: Thursday, December 14, 2000 9:21 AM > To: tomcat-dev@jakarta.apache.org; eroberts@alexandriasc.com > Subject: RE: how to maintain session between HTTP and HTTPS? >=20 >=20 >=20 > --- cga wrote: > > I find it strange that it doesn't maintains session > > accross http and https. > > =BFAre you redirecting? > Netscape (4.7, at least) does not maintain session > between http and https. IE does. This happens with or=20 > without redirect.=20 >=20 > What I ended up doing is to ALWAYS encode session id=20 > into the urls when crossing the http/https boundary, > so not depending on the encodeURL or encodeRedirectURL > of response object. > =20 > > Gaston > >=20 > >=20 > > ----- Original Message ----- > > From: Elijah Roberts > > To: > > Sent: Saturday, December 09, 2000 4:11 AM > > Subject: Re: how to maintain session between HTTP > > and HTTPS? > >=20 > >=20 > > > On Saturday December 09, 2000 Weigen Liang wrote: > > > > > I'm trying to find a way to maintain session > > between > > > > > HTTP and HTTPS: some pages (html/jsp), > > > > > such as login and credit card info, need to > > > > > transported under HTTPS, but the rest does not > > > > > need to. I prefer not to spending the extra > > > > > cpu circles for unnecessary encryption since > > > > > the servers may be under heavy cpu utilization > > > > > due to generating images for returning to > > user. > > > > > > > > > > Any suggestions? > > > > > > Is a normal JSP session not maintained across HTTP > > and HTTPS. I have > > > never tried it out, but I don't see any reason why > > it shouldn't work. > > > Have you tried it and found it to not work? Your > > email is a little vague. > > > > > > Elijah Roberts > > > eroberts@alexandriasc.com > >=20 >=20 >=20 > __________________________________________________ > Do You Yahoo!? > Yahoo! Shopping - Thousands of Stores. Millions of Products. > http://shopping.yahoo.com/ >=20 Michael R. Kuz Developer Service Intelligence (403) 261-5000 ext. 363 mkuz@serviceintelligence.com ------_=_NextPart_001_01C065F1.54406E2A Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: how to maintain session between HTTP and HTTPS?

Are you sharing sessions over multiple Tomcat = instances/boxes?
(ie: does HTTP and HTTPS both point to same instance = of Tomcat?)

> -----Original Message-----
> From: Weigen Liang [mailto:weigenliang@yahoo.com]<= /FONT>
> Sent: Thursday, December 14, 2000 9:21 = AM
> To: tomcat-dev@jakarta.apache.org; = eroberts@alexandriasc.com
> Subject: RE: how to maintain session between = HTTP and HTTPS?
>
>
>
> --- cga <cga@ciudad.com.ar> wrote:
> > I find it strange that it doesn't = maintains session
> > accross http and https.
> > =BFAre you redirecting?
> Netscape (4.7, at least) does not maintain = session
> between http and https. IE does. This happens = with or
> without redirect.
>
> What I ended up doing is to ALWAYS encode = session id
> into the urls when crossing the http/https = boundary,
> so not depending on the encodeURL or = encodeRedirectURL
> of response object.
>
> > Gaston
> >
> >
> > ----- Original Message -----
> > From: Elijah Roberts = <eroberts@alexandriasc.com>
> > To: = <tomcat-dev@jakarta.apache.org>
> > Sent: Saturday, December 09, 2000 4:11 = AM
> > Subject: Re: how to maintain session = between HTTP
> > and HTTPS?
> >
> >
> > > On Saturday December 09, 2000 Weigen = Liang wrote:
> > > > > I'm trying to find a way to = maintain session
> > between
> > > > > HTTP and HTTPS: some pages = (html/jsp),
> > > > > such as login and credit = card info, need to
> > > > > transported under HTTPS, = but the rest does not
> > > > > need to. I prefer not to = spending the extra
> > > > > cpu circles for unnecessary = encryption since
> > > > > the servers may be under = heavy cpu utilization
> > > > > due to generating images = for returning to
> > user.
> > > > >
> > > > > Any suggestions?
> > >
> > > Is a normal JSP session not = maintained across HTTP
> > and HTTPS. I have
> > > never tried it out, but I don't see = any reason why
> > it shouldn't work.
> > > Have you tried it and found it to not = work? Your
> > email is a little vague.
> > >
> > > Elijah Roberts
> > > eroberts@alexandriasc.com
> >
>
>
> = __________________________________________________
> Do You Yahoo!?
> Yahoo! Shopping - Thousands of Stores. Millions = of Products.
> http://shopping.yahoo.com/
>

Michael R. Kuz
Developer
Service Intelligence
(403) 261-5000 ext. 363
mkuz@serviceintelligence.com

------_=_NextPart_001_01C065F1.54406E2A--