tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Moving from a very old Tomcat to a new Tomcat.
Date Thu, 05 Jun 2008 23:56:59 GMT

Bill Davidson wrote:
> Christopher Schultz wrote:
>> Are you using cookies or URL-rewriting (or both) for your application?
>> Can you use a tool like LiveHTTPHeaders to observe the headers being
>> exchanged during the interaction described above?
> We are using cookies to track sessions.  I don't think we're using URL
> rewriting.  Servlets and jsp's are handed off to Tomcat.  Everything else
> is Apache httpd.
> We seem to be losing the cookie when a page being served from the SSL
> virtual host forwards to a page that is not SSL (back in the regular 
> host on
> port 80).  No cookie means the server doesn't know that the browser is
> attached to the session it created for the user.

This may not be the cause of your problem, but I remember vaguely that 
there can be a flag in a cookie saying "for SSL only".  If such was the 
case, the browser may just decide to not send the cookie anymore, even 
to the same host, once you switch back to a non-SSL connection.

"losing the cookie" is also maybe a misnomer here.  The entity that "has 
the cookie" and decides to send it or not is the browser.  The only way 
the server can tell the browser to "lose a cookie", is by resending the 
same cookie with an expiration date in the past.  That should cause the 
browser to delete the cookie and not send it anymore.

What I mean is : to "set a cookie in the browser", the server sends a 
"Set-Cookie" HTTP header to the browser, along with some normal result 
page.  It does this once (or more, but once is enough).  After that, the 
browser will always send back the cookie with each request to the same
server, as a "Cookie:" HTTP header, until this cookie expires.  When the 
expiration date/time of the cookie is reached, the browser purges the 
cookie from its memory, and that is when it stops sending it.
There is no "Unset-Cookie" or "Stop-sending-this-cookie" HTTP header 
that the server can send to the browser.

> My lack of Apache skills is no doubt showing.  Is there a way to have
> Apache 2.2 serve both 80 (clear) and 443 (SSL) from the primary
> host instead of a virtual host?  I'm guessing that the switch from the
> virtual host to the main host (both with the same hostname and IP but
> listening on different ports) is what's causing the cookie to get lost.

As far as I know, a cookie is not port-specific.  Host or 
domain-specific yes, but port not.

> ------------------------------------------------------------------------
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message