tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: Why does encodeURL not include Session ID when switching between HTTP and HTTPS
Date Sun, 01 Dec 2002 23:17:11 GMT
I think the question to ask is (which I can't answer):
Will encodeURL() encode URLS if the request protocol [or for that 
matter, server] is different?

You are switching from http to https. Since this is a different 
namespace, all bets may be off whether encodeURL will work like the way 
you wish.

The javadocs [from the spec] say:
"Encodes the specified URL by including the session ID in it, or, if 
encoding is not needed, returns the URL unchanged. The implementation of 
this method includes the logic to determine whether the session ID needs 
to be encoded in the URL. For example, if the browser supports cookies, 
or session tracking is turned off, URL encoding is unnecessary."

So one may say - since the namespace is changing from http to https or 
vice versa - the implementation of encodeURL does not need to encode the 


Raiden wrote:
> A quick addendum... is there a setting somewhere that I need to explicitly
> state that my server is, and therefore regardless of
> protocol (HTTP or HTTPS), all links at this server should be encoded with
> the session id?
> Thanks again,
> Raiden
> On Sun, 1 Dec 2002, Raiden wrote:
>>I have searched the archives, and while I have seen several people ask
>>this question, there doesn't seem to be an agreed upon answer/solution.
>>I am using Tomcat 4.1.12.  When cookies are on, I can switch bettween http
>>and https just fine, while maintaining my session.  (I am using the Ajp13
>>connector with Apache, and so Apache does all my SSL management.)
>>However, when cookies are off... URL rewriting ONLY seems to work when I
>>stay on the same protocol.  (Start on an HTTP page, all HTTP links are
>>properly encoded with the session id.  Start on an HTTPS page, all HTTPS
>>links are properly encoded with the session id.  However, start in either
>>protocol, and the links for the other protocol are NOT properly encoded.)
>>As soon as I try and encode a link that would switch the protocol from
>>HTTP to HTTPS or HTTPS to HTTP, those links do not include the session
>>I have every link surrounded by response.encodeURL().
>>Does anyone know why the encodeURL method does not seem to be including
>>the session id when I attempt to include a link that is in a different
>>I'm assuming it's because the encodeURL method does not think
>> and are able to maintain
>>the same session... but I can't understand why... especially since Tomcat
>>and Netscape and IE have aggreed to send the session cookie on both
>>protocols, when using cookies to maintain sessions.
>>To unsubscribe, e-mail:   <>
>>For additional commands, e-mail: <>
> --
> To unsubscribe, e-mail:   <>
> For additional commands, e-mail: <>

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message