if your client doesnt want to write cookies
URL-rewrite is the answer
http://tuckey.org/urlrewrite/
Apache analog is mod_rewrite
HTH
Martin
----- Original Message -----
From: "André Warnier" <aw@ice-sa.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Thursday, June 05, 2008 7:56 PM
Subject: Re: Moving from a very old Tomcat to a new Tomcat.
>
>
> Bill Davidson wrote:
>> Christopher Schultz wrote:
>>> Are you using cookies or URL-rewriting (or both) for your application?
>>> Can you use a tool like LiveHTTPHeaders to observe the headers being
>>> exchanged during the interaction described above?
>> We are using cookies to track sessions. I don't think we're using URL
>> rewriting. Servlets and jsp's are handed off to Tomcat. Everything else
>> is Apache httpd.
>>
>> We seem to be losing the cookie when a page being served from the SSL
>> virtual host forwards to a page that is not SSL (back in the regular host
>> on
>> port 80). No cookie means the server doesn't know that the browser is
>> attached to the session it created for the user.
>
> This may not be the cause of your problem, but I remember vaguely that
> there can be a flag in a cookie saying "for SSL only". If such was the
> case, the browser may just decide to not send the cookie anymore, even to
> the same host, once you switch back to a non-SSL connection.
>
> "losing the cookie" is also maybe a misnomer here. The entity that "has
> the cookie" and decides to send it or not is the browser. The only way
> the server can tell the browser to "lose a cookie", is by resending the
> same cookie with an expiration date in the past. That should cause the
> browser to delete the cookie and not send it anymore.
>
> What I mean is : to "set a cookie in the browser", the server sends a
> "Set-Cookie" HTTP header to the browser, along with some normal result
> page. It does this once (or more, but once is enough). After that, the
> browser will always send back the cookie with each request to the same
> server, as a "Cookie:" HTTP header, until this cookie expires. When the
> expiration date/time of the cookie is reached, the browser purges the
> cookie from its memory, and that is when it stops sending it.
> There is no "Unset-Cookie" or "Stop-sending-this-cookie" HTTP header that
> the server can send to the browser.
>
>>
>> My lack of Apache skills is no doubt showing. Is there a way to have
>> Apache 2.2 serve both 80 (clear) and 443 (SSL) from the primary
>> host instead of a virtual host? I'm guessing that the switch from the
>> virtual host to the main host (both with the same hostname and IP but
>> listening on different ports) is what's causing the cookie to get lost.
>
> As far as I know, a cookie is not port-specific. Host or domain-specific
> yes, but port not.
>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|