tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zabel, Ian" <IZa...@cirqit.com>
Subject Session lost between HTTPS and HTTP
Date Tue, 04 Feb 2003 17:35:13 GMT
All;

 

We are having a chronic problem that is causing a lot of trouble with our
application's users.

 

In our app, we authenticate users on our HTTPS server and then serve the
homepage also on HTTPS. All links on the homepage to the other pages in our
app switch the user to the same url on HTTP. If a user's session is created
on HTTPS (https://www.app.com <https://www.app.com/> ), when they are
switched over to HTTP (http://www.app.com <http://www.app.com/> ) the
session cookie is not sent by the browser and they therefore lose their
session.

 

NOTE: This is not a problem if the user's session is created on HTTP. The
session is created on HTTP, they authenticate over HTTPS and then are
switched back to HTTP, and their session is maintained with no problems.

 

Our workaround has been to pass the jsessionid on the url wherever we can,
but there are places we can't do this. 

 

We did not start having this problem until we switched from
Apache/ServletExec to Apache/Tomcat4.0.x/mod_jk.

 

We are using Apache with OpenSSL to serve our HTTPS pages.

 

Is it valid for a cookie created on HTTPS to be sent to the same exact URL
on HTTP?

 

Ian.

 

 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message