tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kief Morris <k...@bitbull.com>
Subject RE: HttpSession across virtual hosts
Date Thu, 08 Feb 2001 16:48:04 GMT
David Oxley typed the following on 01:07 PM 2/8/2001 +0000
>>I sort-of understand what you're doing, but I'm not clear on a couple of
>details.
>>What do you mean when you say you've "coded a request"? How exactly is
>>the session ID passed from the original host to the new host, is this by a
>>form field embedded into the HTML, or is it all on the server side?
>
>Like URL-Encoded session management. The host passes our session id back to
>the server when changing hosts so that it can be connected to the new
>HttpSession.
>
>Doesn't normal session management have exactly the same problem. When
>writing an E-Commerce system the basket is normally chosen on an unsecure
>host and then the user is put on to a secure host to checkout their
>products. You need to be able to id the user between the two hosts. There
>has to be a 'secure' way of doing this?!?!

It's problematic, because some browsers (I don't recall which) will send a
cookie that was set by http://foo.com to https://foo.com, and some won't.
Maybe somebody else can shed light on this.

Kief


Mime
View raw message