tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: HtttServletRequest.getSession()
Date Tue, 14 Sep 2010 16:30:19 GMT
On 14/09/2010 15:16, Christopher Schultz wrote:

I'm in the middle of some major re-factoring so I don;t have time to
actually test this...

> 0. [Browser has two JSESSIONID cookies: one secure=true and one
> secure=false]

This I doubt. When testing load-balancing on a single machine, I have
seen browsers send the same cookie to two Tomcat instances that only
differ by port number. I suspect https and http will be treated the same
way and one cookie will just overwrite the other. You should test that
to be sure though.

> 1. Browser makes an HTTPS connection to the server and sends both cookies
> 2. Application code calls request.getSession()

Assuming browsers behave the way I think they will, this should be a
non-issue. If they don't it will get 'interesting'. Either way you'll
need to experiment to be sure.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message