tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Grüneberg <>
Subject Re: Re: Is there nobody who could help me with my session problem?
Date Wed, 17 Jan 2001 13:34:16 GMT
First of all thank you Kief and Jörg for your answers.

Ok, I am a beginner in webserver konfiguration and do not much know about
"virtual hosting" and webserver things.
I configured Tomcat with SSL like it is explained in the Doku.
Because I will use Tomcat in a standalone configuration I changed the http
Port to 80
and uncomment the connector for SSL on port 443.
In my application a user will have a "shopping-basket" (my english is very
bad :-(  )
which is stored in the users session.
When he will by the things in the basket the connection is changed from http
to https.
But when the session gets lost on changing protokoll and port, how will I
get the session
of the user?

Do I have to implement my own sessionmanagment? (using PathInfo or so???)

Another stupid question: Is it possible to configure http and https on the
same port?


Jörg Ahrens wrote:

>Kief Morris wrote:
>> Martin Grüneberg typed the following on 01:42 AM 1/17/2001 +0100
>> >Because cookies are disabled in many browsers, I prefere
>> >sessionmangment with urlrewriting. (server.xml --> noCookies)
>> >On normal http requests the sessionmanagment make a good job.
>> >But changing to a safe https SSL connection for sensitive data the
>> >is lost and a new session is created. Every time I reload this (https)
>> >a new session is returned!??
>> Tomcat won't add the session ID to a URL if the port numbers don't match,
>> which they won't when you're moving from HTTP to HTTPS. If you reload
>> the same URL, which doesn't have a session ID in it, and don't accept
>> cookies, you aren't sending a session ID to Tomcat, so it has to generate
>> a new session every time.
>> Nope. The only thing I can think of, other than submitting a patch so
>> doesn't use the port number to determine whether a URL should be
>> (I'm not sure whether such a patch would be accepted), is to to manually
>> put the ID into the URL yourself.

>The Servlet Spec (2.3) says:

>	A servlet context can not be shared across virtual hosts.

>But there is no definition for "virtual host".

>Using URL rewriting, it is up to tomcat, to define this. If tomcat
>is running standalone, this may be possible. Running as a backend for
>a webserver, it is not possible.

>Using cookies, it is up to the browser, to define the term "virtual
>as the browser stores the cookies for a host. As you might have expected
>different browsers take different decisions in this example:


>Netscape (at least running on linux) stores two cookies for two
>hosts whereas IE (not on linux) uses the same cookie for both URLs.

>It should be left to the tomcat administrator, to define which ports
>belong to the same virtual host.


View raw message