Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 56403 invoked from network); 15 Feb 2006 19:25:17 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 15 Feb 2006 19:25:17 -0000 Received: (qmail 23115 invoked by uid 500); 15 Feb 2006 19:25:01 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 23101 invoked by uid 500); 15 Feb 2006 19:25:01 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 23085 invoked by uid 99); 15 Feb 2006 19:25:01 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Feb 2006 11:25:01 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [216.17.130.186] (HELO mail.mhsoftware.com) (216.17.130.186) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Feb 2006 11:25:00 -0800 Received: from localhost (localhost [127.0.0.1]) by mail.mhsoftware.com (Postfix) with ESMTP id EB58078333 for ; Wed, 15 Feb 2006 12:24:39 -0700 (MST) Received: from mail.mhsoftware.com ([127.0.0.1]) by localhost (hagrid [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17005-01 for ; Wed, 15 Feb 2006 12:24:39 -0700 (MST) Received: from emp00 (c-24-8-34-101.hsd1.co.comcast.net [24.8.34.101]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mail.mhsoftware.com (Postfix) with ESMTP id 5F8FA78336 for ; Wed, 15 Feb 2006 12:24:39 -0700 (MST) From: "George Sexton" To: "'Tomcat Users List'" Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Date: Wed, 15 Feb 2006 12:24:38 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <001301c63260$a90d05d0$9301a8c0@programmer2> Thread-Index: AcYyRmWUrFZ4yDfmSoCP4PeVBWAs8gAAKb9gAAOfLxAAAQzn4AAAbIRgAAE/viAAASTeQA== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Message-Id: <20060215192439.5F8FA78336@mail.mhsoftware.com> X-Virus-Scanned: amavisd-new at mhsoftware.com X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N In my shopping cart application, I create a cart with a unique (random) id and track the request type (secure/non-secure). If they invoke the program from an SSL request, and the previous request was non-SSL then I create a new cart with a new unique ID, copy the information from the insecure cart, and then delete the old cart. If someone tries to come back with the old cart id, then that cart just doesn't exist and they get a new cart. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 > -----Original Message----- > From: Joey Geiger [mailto:joey@staff.onmilwaukee.com] > Sent: Wednesday, February 15, 2006 11:50 AM > To: 'Tomcat Users List' > Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) > > >>You do realize that sessions don't carry over between SSL > and non-SSL > >>request don't you? > > What is the proper/best way to go about this then, since I > will be facing a > similar situation in the near future? (Shopping cart bean, > customer bean > saved in the session.) > > Thanks. > > > -----Original Message----- > From: George Sexton [mailto:gsexton@mhsoftware.com] > Sent: Wednesday, February 15, 2006 12:17 PM > To: 'Tomcat Users List'; mao@simplexsoftware.com; > edyke@vrs.state.va.us; > alexandre.tastet@fr.fortisbank.com > Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) > > You do realize that sessions don't carry over between SSL and non-SSL > request don't you? > > You can't have a session ID that carries over from a non-ssl > session to an > SSL session because that session ID is compromised (it has > been exposed) as > plain text. > > As an aside, I looked at your form. You should really use > HttpServletRequest.getLocale() to pick up your user's locale and then > provide date formatting for the user locale. > > George Sexton > MH Software, Inc. > http://www.mhsoftware.com/ > Voice: 303 438 9585 > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org