tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: AW: JSessionID
Date Tue, 10 Jan 2006 03:08:19 GMT

"Jess Holle" <> wrote in message
> Conveying servlet sessions by SSL session is clearly not required by the 
> spec, though...
> I'm not sure whether Tomcat supports this...

It doesn't (mostly because nobody has been interested enough to write the 
code for it).

> Bernhard Slominski wrote:
>>I just looked it up in the spec and there is a 3rd one as well: SSL 
>>>>From the Servlet spec:
>>"SRV.7.1 Session Tracking Mechanisms
>>The following sections describe approaches to tracking a user's sessions
>>SRV.7.1.1 Cookies
>>Session tracking through HTTP cookies is the most used session tracking
>>mechanism and is required to be supported by all servlet containers.
>>The container sends a cookie to the client. The client will then return 
>>cookie on each subsequent request to the server, unambiguously associating
>>request with a session. The name of the session tracking cookie must be
>>SRV.7.1.2 SSL Sessions
>>Secure Sockets Layer, the encryption technology used in the HTTPS 
>>has a
>>built-in mechanism allowing multiple requests from a client to be
>>identified as being part of a session. A servlet container can easily use
>>this data to
>>define a session.
>>SRV.7.1.3 URL Rewriting
>>URL rewriting is the lowest common denominator of session tracking. When a
>>client will not accept a cookie, URL rewriting may be used by the server 
>>the basis
>>for session tracking. URL rewriting involves adding data, a session ID, to
>>the URL
>>path that is interpreted by the container to associate the request with a
>>The session ID must be encoded as a path parameter in the URL string. The
>>name of the parameter must be jsessionid.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message