tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Alley" <martin.al...@ntlworld.com>
Subject Session behaviour across http/https boundary
Date Thu, 08 Apr 2004 16:38:02 GMT
Hi,

I have a small web app that appears to illustrate the following
behaviour.
Session started in http is carried over to https, but session started in
https is *not* carried over to http!

Why?


Web app has 3 pages
Index.jsp
Page2.jsp
Logout.jsp (does session invalidate & forward to index.jsp)

1) go to index.jsp as http (session1)
2) follow https link to page2.jsp (session1)
3) follow https link to logout.jsp 
4) now at https index.jsp with session2 (session2 created in https
world)
5) follow https link to page2.jsp again (session2)
6) follow *http* link to index.jsp (session 3!!!)

I don't understand why session 3 is created.

I read that old browsers don't maintain sessions between http and https;
I'm using Ie6

Can anyone explain this?

Thanks
Martin
PS Code is below.





******************Index.jsp
<%@ page import="javax.servlet.*, javax.servlet.http.*,
org.apache.commons.logging.*"%>

<html>
<body>
<%
        HttpServletRequest req = ( HttpServletRequest ) request;
        HttpSession mysession = req.getSession(false  );
        
        Log __log = LogFactory.getLog( this.getClass() );
        __log.info("index.jsp");
 
__log.info("SessionID="+(mysession==null?"null":mysession.getId()));
%>
<p>
SessionID=<%=(mysession==null?"null":mysession.getId())%><br/>

</p>

<p>
<a
href="<%=response.encodeURL("https://localhost:8443/sessiontest/page2.js
p")%>">page2</a>
<a
href="<%=response.encodeURL("https://localhost:8443/sessiontest/logout.j
sp")%>">logout</a><br/>
</p>
</body>
</html>
********************page2.jsp
<%@ page import=" javax.servlet.*, javax.servlet.http.*,
org.apache.commons.logging.*"%>
<html>
<body>
<%
        HttpServletRequest req = ( HttpServletRequest ) request;
        HttpSession mysession = req.getSession(false  );
        
        Log __log = LogFactory.getLog( this.getClass() );
        __log.info("page2");
 
__log.info("SessionID="+(mysession==null?"null":mysession.getId()));
        
%>
<p>
SessionID=<%=(mysession==null?"null":mysession.getId())%><br/>

</p>

<p>
<a
href="<%=response.encodeURL("http://localhost:8080/sessiontest/index.jsp
")%>">index page</a><br/>
<a
href="<%=response.encodeURL("https://localhost:8443/sessiontest/logout.j
sp")%>">logout</a><br/>
</p>

</body>
</html>


*************logout.jsp
<%@ page import=" javax.servlet.*, javax.servlet.http.*,
org.apache.commons.logging.*"%>
<%
HttpServletRequest req = ( HttpServletRequest ) request;
HttpSession mysession = req.getSession(false  );
        Log __log = LogFactory.getLog( this.getClass() );
        __log.info("logout.jsp");
        __log.info("pre invalidate
SessionID="+(mysession==null?"null":mysession.getId()));
if (session!=null)
	session.invalidate();


        __log.info("post
invalidateSessionID="+(mysession==null?"null":mysession.getId()));


RequestDispatcher rd =req.getRequestDispatcher("/index.jsp");
rd.forward(req, (HttpServletResponse)response);

%>






---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message