Return-Path: Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 32099 invoked from network); 8 Feb 2001 14:32:10 -0000 Received: from mail4.svr.pol.co.uk (195.92.193.211) by h31.sny.collab.net with SMTP; 8 Feb 2001 14:32:10 -0000 Received: from modem-6.gadolinium.dialup.pol.co.uk ([62.136.51.134] helo=bach) by mail4.svr.pol.co.uk with esmtp (Exim 3.13 #0) id 14Qs76-0005ec-00 for tomcat-user@jakarta.apache.org; Thu, 08 Feb 2001 14:32:00 +0000 From: "Alistair Hopkins" To: Subject: RE: HttpSession across virtual hosts Date: Thu, 8 Feb 2001 14:30:52 -0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N The http // https comparison doesn't work as cookies are sent or not depending on the host, not on the protocol. So if I have a valid session_id in a cookie in http, that will still be sent when I switch to https. So I can either have a common pool of current cookies if my https server is seperate from my http server (seems a hard way to do it) or I just access the software (eg Tomcat) via a webserver (eg apache) through either protocol and the session continues without complaint. Unless I did something complicated without noticing, of course... -----Original Message----- From: Randy Layman [mailto:randy.layman@aswethink.com] Sent: Thursday, February 08, 2001 1:13 PM To: tomcat-user@jakarta.apache.org Subject: RE: HttpSession across virtual hosts What I've seen done, which doesn't necessarily make it secure, it to send some form of CartID. This ID identifies the Cart in some shared back end data store. Usually these are large numbers that contain enough information to determine if its a possible real value, or a number someone made up. If its something that someone made up, usually their IP is locked out for a certain amount of time or a session field is set that doesn't allow them in as long as that same session is valid. Randy -----Original Message----- From: David Oxley [mailto:dave@staffplanner.co.uk] Sent: Thursday, February 08, 2001 8:08 AM To: 'tomcat-user@jakarta.apache.org' Subject: RE: HttpSession across virtual hosts >I sort-of understand what you're doing, but I'm not clear on a couple of details. >What do you mean when you say you've "coded a request"? How exactly is >the session ID passed from the original host to the new host, is this by a >form field embedded into the HTML, or is it all on the server side? Like URL-Encoded session management. The host passes our session id back to the server when changing hosts so that it can be connected to the new HttpSession. Doesn't normal session management have exactly the same problem. When writing an E-Commerce system the basket is normally chosen on an unsecure host and then the user is put on to a secure host to checkout their products. You need to be able to id the user between the two hosts. There has to be a 'secure' way of doing this?!?! Dave Dave@Staffplanner.co.uk --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, email: tomcat-user-help@jakarta.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, email: tomcat-user-help@jakarta.apache.org