tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <>
Subject Re: Sessions - SSL
Date Thu, 13 Nov 2003 10:03:05 GMT
On 11/13/2003 10:24 AM Harry Mantheakis wrote:
>>URL-rewriting sessions are not 'transferable' as per the Servlet 2.3 Spec.
>>Cookie session in Tomcat 3.3.2 and higher follow the rules:
>>a) If you create the session with a non-SSL request, then it will be
>>transfered back and forth between SSL and non-SSL (unless, of course, your
>>browser chooses to not send the cookie :).
>>b) If you create the session with a SSL request, then it won't be available
>>for non-SSL requests.
> Thanks for that information - it fits in with my experience.
> I've just done a search for 'SSL' on the 2.3 specifications, and I did not
> find anything that corresponds to these two rules (though I might have
> missed it).
> Am I to assume that these two rules are container-specific?

Point (b) is interesting - I hadn't realised that.

I doubt very much that this implementation is container-specific to 
tomcat. Did you try searching on 'user-data-constraint' or 'confidential'?

struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message