tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörg Ahrens <joerg.ahr...@braincapital.de>
Subject Re: Is there nobody who could help me with my session problem?
Date Wed, 17 Jan 2001 12:46:30 GMT
Kief Morris wrote:
> 
> Martin Grüneberg typed the following on 01:42 AM 1/17/2001 +0100
> >Because cookies are disabled in many browsers, I prefere
> >sessionmangment with urlrewriting. (server.xml --> noCookies)
> >On normal http requests the sessionmanagment make a good job.
> >But changing to a safe https SSL connection for sensitive data the session
> >is lost and a new session is created. Every time I reload this (https) page
> >a new session is returned!??
> 
> Tomcat won't add the session ID to a URL if the port numbers don't match,
> which they won't when you're moving from HTTP to HTTPS. If you reload
> the same URL, which doesn't have a session ID in it, and don't accept
> cookies, you aren't sending a session ID to Tomcat, so it has to generate
> a new session every time.
> 
> Nope. The only thing I can think of, other than submitting a patch so Tomcat
> doesn't use the port number to determine whether a URL should be rewritten
> (I'm not sure whether such a patch would be accepted), is to to manually
> put the ID into the URL yourself.
> 

The Servlet Spec (2.3) says:

	A servlet context can not be shared across virtual hosts.

But there is no definition for "virtual host". 

Using URL rewriting, it is up to tomcat, to define this. If tomcat
is running standalone, this may be possible. Running as a backend for
a webserver, it is not possible.

Using cookies, it is up to the browser, to define the term "virtual
host" 
as the browser stores the cookies for a host. As you might have expected
different browsers take different decisions in this example:
	
	https://nohost.nowhere.net/...
	https://nohost.nowhere.net:443/...

Netscape (at least running on linux) stores two cookies for two
different
hosts whereas IE (not on linux) uses the same cookie for both URLs.

It should be left to the tomcat administrator, to define which ports  
belong to the same virtual host.

Jörg
--
----------------------------------------------------------------------
Jörg Ahrens                                            _/ 
brainCAPITAL GmbH                                    _/_/      
Tel.: 0511/8488 5303                               _/  _/           
email: joerg.ahrens@braincapital.de        _/    _/_/_/_/  
.                                        _/_/_/_/      _/
----------------------------------------------------------------------

Mime
View raw message