tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Session lost when switching from https to http after upgrade to Tomcat 6
Date Fri, 06 Jun 2008 20:30:21 GMT

André Warnier wrote:
> A lot of speculation here, but who knows ?
Indeed. And it is all wrong.

> To my knowledge, there exists no case where the browser would not send a 
> cookie with every request, if it has it and it is valid.
Well, there is the obvious example Rainer has already given of cookies 
marked as secure. Given that the session is created under https this is 
probably what is happening. Sessions are not maintained in transitions from 
https to http.

If you need to protect the session creation with https then you should 
almost certainly be providing the same level of protection for the session ID.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message