Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 57813 invoked from network); 8 Feb 2003 17:56:56 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 8 Feb 2003 17:56:56 -0000 Received: (qmail 5031 invoked by uid 97); 8 Feb 2003 17:58:29 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@nagoya.betaversion.org Received: (qmail 5024 invoked from network); 8 Feb 2003 17:58:28 -0000 Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12) by nagoya.betaversion.org with SMTP; 8 Feb 2003 17:58:28 -0000 Received: (qmail 56366 invoked by uid 500); 8 Feb 2003 17:56:42 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 56354 invoked from network); 8 Feb 2003 17:56:42 -0000 Received: from av2.rz.fh-augsburg.de (HELO FH-Augsburg.DE) (141.82.16.242) by daedalus.apache.org with SMTP; 8 Feb 2003 17:56:42 -0000 Received: from meduron700 (dial19-220.RZ.FH-Augsburg.DE [141.82.19.220]) by FH-Augsburg.DE (8.12.6/8.12.6) with ESMTP id h18Hw287009928 for ; Sat, 8 Feb 2003 18:58:02 +0100 (MET) Reply-To: From: "mech" To: Subject: form based auth problem when disallowing cookies Date: Sat, 8 Feb 2003 18:56:50 +0100 Message-ID: <000d01c2cf9b$78503c80$0101a8c0@meduron700> MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (Wertung=0.8, ben�tigt 5, SPAM_PHRASE_02_03) X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Hi, I'm using Tomcat 4.1.18 with a form based auth method. My login.jsp is in a directory /login/ and for that directory I've also set a security contraint which switches to https for logon (and stays in https, of course) I have no problem when I use cookies, but I see a bit strange behaviour if I don't use cookies: 1. Surf around the webapp. sessionid is generated and attached to url via url rewriting 2. Click login link and load login.jsp. Simultaniously switching to https. 3. Still same sessionid in the url as before. login form screen prompts 4. I use correct username/password to login. I see no error, but the sessionid got changed in the url and the login form is prompted again and i'm not yet "in"! 5. If I login again, I keep the "new" sessionid and can continue as normal and finally login is sucessful. Step 4 is different to what I have with cookies. I don't need to login twice. And the sessionid that is in the cookie also stays the same before and after. So actually my previous session also gets destroyed after logon and I couldn't take my session beans (for example a shopping cart) into https while using url rewriting for session tracking. If I use cookies, that's possible. Any ideas what I do wrong, is this a bug (if yes, in my webapp or Tomcat) or is it a "wanted security thing" that you can't grab someone's session id from the url, for example to manipulate the session from a second http browser window after a https logon was done in another window?! Thx Michael --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org