tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin" <mgai...@hotmail.com>
Subject Re: Moving from a very old Tomcat to a new Tomcat.
Date Fri, 06 Jun 2008 01:12:09 GMT
if your client doesnt want to write cookies
URL-rewrite is the answer
http://tuckey.org/urlrewrite/

Apache analog is mod_rewrite

HTH
Martin
----- Original Message ----- 
From: "André Warnier" <aw@ice-sa.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Thursday, June 05, 2008 7:56 PM
Subject: Re: Moving from a very old Tomcat to a new Tomcat.


>
>
> Bill Davidson wrote:
>> Christopher Schultz wrote:
>>> Are you using cookies or URL-rewriting (or both) for your application?
>>> Can you use a tool like LiveHTTPHeaders to observe the headers being
>>> exchanged during the interaction described above?
>> We are using cookies to track sessions.  I don't think we're using URL
>> rewriting.  Servlets and jsp's are handed off to Tomcat.  Everything else
>> is Apache httpd.
>>
>> We seem to be losing the cookie when a page being served from the SSL
>> virtual host forwards to a page that is not SSL (back in the regular host 
>> on
>> port 80).  No cookie means the server doesn't know that the browser is
>> attached to the session it created for the user.
>
> This may not be the cause of your problem, but I remember vaguely that 
> there can be a flag in a cookie saying "for SSL only".  If such was the 
> case, the browser may just decide to not send the cookie anymore, even to 
> the same host, once you switch back to a non-SSL connection.
>
> "losing the cookie" is also maybe a misnomer here.  The entity that "has 
> the cookie" and decides to send it or not is the browser.  The only way 
> the server can tell the browser to "lose a cookie", is by resending the 
> same cookie with an expiration date in the past.  That should cause the 
> browser to delete the cookie and not send it anymore.
>
> What I mean is : to "set a cookie in the browser", the server sends a 
> "Set-Cookie" HTTP header to the browser, along with some normal result 
> page.  It does this once (or more, but once is enough).  After that, the 
> browser will always send back the cookie with each request to the same
> server, as a "Cookie:" HTTP header, until this cookie expires.  When the 
> expiration date/time of the cookie is reached, the browser purges the 
> cookie from its memory, and that is when it stops sending it.
> There is no "Unset-Cookie" or "Stop-sending-this-cookie" HTTP header that 
> the server can send to the browser.
>
>>
>> My lack of Apache skills is no doubt showing.  Is there a way to have
>> Apache 2.2 serve both 80 (clear) and 443 (SSL) from the primary
>> host instead of a virtual host?  I'm guessing that the switch from the
>> virtual host to the main host (both with the same hostname and IP but
>> listening on different ports) is what's causing the cookie to get lost.
>
> As far as I know, a cookie is not port-specific.  Host or domain-specific 
> yes, but port not.
>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message