Platform: Windows 2008 R2 Web Servers: IIS 7.5, Tomcat 5.5
I have a JSP website which uses login-form authentication, via a custom servlet. Below is the order of how login proceeds: Login (SSL) -> Auth (SSL) -> Intermediary Page 1 (SSL) -> Intermediary Page 2 (non-SSL) -> Intermediary Page 3 (non-SSL) -> Homepage (non-SSL). Now, this process works just fine in all major desktop browsers, iOS, and Android 4.x. However, **I am experiencing problems with Android 3.x and lower. When I switch over from HTTPS to HTTP, Tomcat creates a new HTTP jsessionid for each page.** Why is this a problem? Because the HTTP session variables are lost when simply navigating to another HTTP page. It seems that swtiching from HTTPS to HTTP causes Tomcat to keep creating a new HTTP session for these older versions of Android. I tried passing jsessionid in the url from Intermediary Page 2 to Intermediary Page 3, which works as long as I do it for every single page the user accesses thereafter and that's simply not going to cut it, since there are many, many, many JSP pages this website manages. In other words, I have to pass the jsession via URL to the Homepage, in order to maintain the HTTP session. I don't know what to do, honestly. I don't understand why Tomcat is creating new HTTP sessions and thus losing any and all session variables which were set previously in HTTP space. Let me clarify that I'm not talking about maintaining sessions from HTTPS to HTTP. The problem here is AFTER the user is redirected to HTTP space, where Tomcat creates new sessions for each and every page accessed in HTTP space, instead of maintaining the one HTTP session. Does anyone have any solutions, as to why Android 3.x and lower are affected and how to resolve it? Has anyone ever had this problem with the older Android versions? Thank you. **UPDATE** I have confirmed that the request Header, Connection:keep-alive, does NOT appear for Android 3.x and lower. This may be the reason why Tomcat is destroying and creating a new JSESSIONID. But the problem is IIS 7.5 has connection:keep-alive enabled, although I think that's specifically for the response Header. And, besides, Connection:keep-alive appears for all the other platforms and browsers that work. So, for whatever reason, Android 3.x and lower doesn't support Connection:keep-alive or there's an issue with how IIS 7.5 and Tomcat 5.5. I'm just not sure. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
