Read the docs of your container about sessions. Resin can store session information on disk and in a database, maybe that could be a workaround for transferring session from HTTP -> HTTS?
Another idea (apart from Adrian's) would be to put all the data you need to transfer in some structure (hashtable) in the application scope, and include a unique key in the secure shopping form, so the new HTTPS session will retrieve the old data from the application scope. You have to be very carefull about security though. > -----Original Message----- > From: A mailing list about Java Server Pages specification and reference > [mailto:[EMAIL PROTECTED]]On Behalf Of Alireza Nahavandi > Sent: Thursday, December 05, 2002 2:47 PM > To: [EMAIL PROTECTED] > Subject: Re: Secure server > > > Hi guys, > > Thank you for your responses. I tested URL rewriting. It did not work. Any > other solution? > > Thank you again. > > -----Original Message----- > From: A mailing list about Java Server Pages specification and reference > [mailto:[EMAIL PROTECTED]]On Behalf Of Adrian Janssen > Sent: Thursday, December 05, 2002 2:59 AM > To: [EMAIL PROTECTED] > Subject: Re: Secure server > > > Yeah good idea - would certainly solve the browser side issue. Does tomcat > (or any aother servlet container) preserve sessions accross http / https? > > > -----Original Message----- > > From: Mattias Jiderhamn [SMTP:[EMAIL PROTECTED]] > > Sent: 05 December 2002 09:54 > > To: [EMAIL PROTECTED] > > Subject: Re: Secure server > > > > Using URL rewriting when posting from the http session to the https > > session > > should also work ... right? > > > > > -----Original Message----- > > > From: A mailing list about Java Server Pages specification > and reference > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Adrian Janssen > > > Sent: Thursday, December 05, 2002 7:48 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: Secure server > > > > > > > > > Sessions are not shared accross http / https boundries. This is > > > an artifact > > > of the browser. It will deliberately not recognise http and > https pages > > as > > > being in the same "context" and will generate a new session > id cookie as > > > soon as the transition from http to https is made. This is > for security > > > reasons as whatever was done in http is vulnerable and > therefore cannot > > be > > > trusted by an https session. > > > > > > Either start your https session earlier - like as soon as the user > > starts > > > filling the shopping cart - it' not that expensive, or explicity post > > > everything to the first page in the https seesion. > > > > > > > -----Original Message----- > > > > From: Alireza Nahavandi [SMTP:[EMAIL PROTECTED]] > > > > Sent: 04 December 2002 06:02 > > > > To: [EMAIL PROTECTED] > > > > Subject: Secure server > > > > > > > > Hi everybody, > > > > > > > > I think there was a discussion about this problem before.... > > > > > > > > I need some help with secure server. > > > > > > > > I have a session object for a shopping cart : > > > > > > > > <jsp:usebean id="cart" scope="session" class="shop.Cart" /> > > > > > > > > For checking out I need to call programs from a path like : > > > > > > > > https://secure.shop.com/chk1.jsp > > > > > > > > In chk1.jsp still I have the definition of cart like before : > > > > > > > > <jsp:usebean id="cart" scope="session" class="shop.Cart" /> > > > > > > > > But the session is empty. > > > > > > > > Has anybody faced this problem before. Any solution? > > > > > > > > Thank you in advance. > > > > > > > > > > > > > > ========================================================================== > > > > = > > > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > > > > JSP-INTEREST". > > > > For digest: mailto [EMAIL PROTECTED] with body: "set > JSP-INTEREST > > > > DIGEST". > > > > Some relevant FAQs on JSP/Servlets can be found at: > > > > > > > > http://archives.java.sun.com/jsp-interest.html > > > > http://java.sun.com/products/jsp/faq.html > > > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > > > http://www.jguru.com/faq/index.jsp > > > > http://www.jspinsider.com > > > -- > > > > > > It is the strict policy of Truworths that its e-mail facility and all > > > e-mail communications emanating therefrom, should be utilised for > > > business purposes only and should conform to high professional and > > > business standards. Truworths has stipulated certain regulations in > > > terms whereof strict guidelines relating to the use and content of > > > e-mail communications are laid down. The use of the Truworths e-mail > > > facility is not permitted for the distribution of chain letters or > > > offensive mail of any nature whatsoever. Truworths hereby distances > > > itself from and accepts no liability in respect of the unauthorised > > > use of its e-mail facility or the sending of e-mail communications > > > for other than strictly business purposes. Truworths furthermore > > > disclaims liability for any unauthorised instruction for which > > > permission was not granted. Truworths Limited accepts no liability > > > for any consequences arising from or as a result of reliance on this > > > message unless it is in respect of bona fide Truworths business for > > > which proper authorisation has been granted. > > > > > > Any recipient of an unacceptable communication, a chain letter or > > > offensive material of any nature is requested to notify the Truworths > > > e-mail administrator ([EMAIL PROTECTED]) immediately in order that > > > appropriate action can be taken against the individual concerned. > > > > > > ================================================================== > > > ========= > > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > > > JSP-INTEREST". > > > For digest: mailto [EMAIL PROTECTED] with body: "set > > > JSP-INTEREST DIGEST". > > > Some relevant FAQs on JSP/Servlets can be found at: > > > > > > http://archives.java.sun.com/jsp-interest.html > > > http://java.sun.com/products/jsp/faq.html > > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > > http://www.jguru.com/faq/index.jsp > > > http://www.jspinsider.com > > > > > > > > ========================================================================== > > = > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > > JSP-INTEREST". > > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST > > DIGEST". > > Some relevant FAQs on JSP/Servlets can be found at: > > > > http://archives.java.sun.com/jsp-interest.html > > http://java.sun.com/products/jsp/faq.html > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > http://www.jguru.com/faq/index.jsp > > http://www.jspinsider.com > -- > > It is the strict policy of Truworths that its e-mail facility and all > e-mail communications emanating therefrom, should be utilised for > business purposes only and should conform to high professional and > business standards. Truworths has stipulated certain regulations in > terms whereof strict guidelines relating to the use and content of > e-mail communications are laid down. The use of the Truworths e-mail > facility is not permitted for the distribution of chain letters or > offensive mail of any nature whatsoever. Truworths hereby distances > itself from and accepts no liability in respect of the unauthorised > use of its e-mail facility or the sending of e-mail communications > for other than strictly business purposes. Truworths furthermore > disclaims liability for any unauthorised instruction for which > permission was not granted. Truworths Limited accepts no liability > for any consequences arising from or as a result of reliance on this > message unless it is in respect of bona fide Truworths business for > which proper authorisation has been granted. > > Any recipient of an unacceptable communication, a chain letter or > offensive material of any nature is requested to notify the Truworths > e-mail administrator ([EMAIL PROTECTED]) immediately in order that > appropriate action can be taken against the individual concerned. > > ================================================================== > ========= > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > JSP-INTEREST". > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST > DIGEST". > Some relevant FAQs on JSP/Servlets can be found at: > > http://archives.java.sun.com/jsp-interest.html > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.jsp > http://www.jguru.com/faq/index.jsp > http://www.jspinsider.com > > ================================================================== > ========= > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > JSP-INTEREST". > For digest: mailto [EMAIL PROTECTED] with body: "set > JSP-INTEREST DIGEST". > Some relevant FAQs on JSP/Servlets can be found at: > > http://archives.java.sun.com/jsp-interest.html > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.jsp > http://www.jguru.com/faq/index.jsp > http://www.jspinsider.com > =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
