I faced the same problem with Netscape 4.5 when I was not using the default port for http and https. If you use the default port and don't specify the port no in the url, it should work 'coz the session cookie is set based on the domain name and port (in this case no port number). If you are using weblogic, an alternative solution is to set the cookieDomain in the weblogic.xml file.
-----Original Message----- From: Mattias Jiderhamn [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 7:27 AM To: [EMAIL PROTECTED] Subject: Re: Secure server Read the docs of your container about sessions. Resin can store session information on disk and in a database, maybe that could be a workaround for transferring session from HTTP -> HTTS? Another idea (apart from Adrian's) would be to put all the data you need to transfer in some structure (hashtable) in the application scope, and include a unique key in the secure shopping form, so the new HTTPS session will retrieve the old data from the application scope. You have to be very carefull about security though. > -----Original Message----- > From: A mailing list about Java Server Pages specification and reference > [mailto:[EMAIL PROTECTED]]On Behalf Of Alireza Nahavandi > Sent: Thursday, December 05, 2002 2:47 PM > To: [EMAIL PROTECTED] > Subject: Re: Secure server > > > Hi guys, > > Thank you for your responses. I tested URL rewriting. It did not work. Any > other solution? > > Thank you again. > > -----Original Message----- > From: A mailing list about Java Server Pages specification and reference > [mailto:[EMAIL PROTECTED]]On Behalf Of Adrian Janssen > Sent: Thursday, December 05, 2002 2:59 AM > To: [EMAIL PROTECTED] > Subject: Re: Secure server > > > Yeah good idea - would certainly solve the browser side issue. Does tomcat > (or any aother servlet container) preserve sessions accross http / https? > > > -----Original Message----- > > From: Mattias Jiderhamn [SMTP:[EMAIL PROTECTED]] > > Sent: 05 December 2002 09:54 > > To: [EMAIL PROTECTED] > > Subject: Re: Secure server > > > > Using URL rewriting when posting from the http session to the https > > session > > should also work ... right? > > > > > -----Original Message----- > > > From: A mailing list about Java Server Pages specification > and reference > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Adrian Janssen > > > Sent: Thursday, December 05, 2002 7:48 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: Secure server > > > > > > > > > Sessions are not shared accross http / https boundries. This is > > > an artifact > > > of the browser. It will deliberately not recognise http and > https pages > > as > > > being in the same "context" and will generate a new session > id cookie as > > > soon as the transition from http to https is made. This is > for security > > > reasons as whatever was done in http is vulnerable and > therefore cannot > > be > > > trusted by an https session. > > > > > > Either start your https session earlier - like as soon as the user > > starts > > > filling the shopping cart - it' not that expensive, or explicity post > > > everything to the first page in the https seesion. > > > > > > > -----Original Message----- > > > > From: Alireza Nahavandi [SMTP:[EMAIL PROTECTED]] > > > > Sent: 04 December 2002 06:02 > > > > To: [EMAIL PROTECTED] > > > > Subject: Secure server > > > > > > > > Hi everybody, > > > > > > > > I think there was a discussion about this problem before.... > > > > > > > > I need some help with secure server. > > > > > > > > I have a session object for a shopping cart : > > > > > > > > <jsp:usebean id="cart" scope="session" class="shop.Cart" /> > > > > > > > > For checking out I need to call programs from a path like : > > > > > > > > https://secure.shop.com/chk1.jsp > > > > > > > > In chk1.jsp still I have the definition of cart like before : > > > > > > > > <jsp:usebean id="cart" scope="session" class="shop.Cart" /> > > > > > > > > But the session is empty. > > > > > > > > Has anybody faced this problem before. Any solution? > > > > > > > > Thank you in advance. > > > > > > > > > > > > > > ========================================================================== > > > > = > > > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > > > > JSP-INTEREST". > > > > For digest: mailto [EMAIL PROTECTED] with body: "set > JSP-INTEREST > > > > DIGEST". > > > > Some relevant FAQs on JSP/Servlets can be found at: > > > > > > > > http://archives.java.sun.com/jsp-interest.html > > > > http://java.sun.com/products/jsp/faq.html > > > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > > > http://www.jguru.com/faq/index.jsp > > > > http://www.jspinsider.com > > > -- > > > > > > It is the strict policy of Truworths that its e-mail facility and all > > > e-mail communications emanating therefrom, should be utilised for > > > business purposes only and should conform to high professional and > > > business standards. Truworths has stipulated certain regulations in > > > terms whereof strict guidelines relating to the use and content of > > > e-mail communications are laid down. The use of the Truworths e-mail > > > facility is not permitted for the distribution of chain letters or > > > offensive mail of any nature whatsoever. Truworths hereby distances > > > itself from and accepts no liability in respect of the unauthorised > > > use of its e-mail facility or the sending of e-mail communications > > > for other than strictly business purposes. Truworths furthermore > > > disclaims liability for any unauthorised instruction for which > > > permission was not granted. Truworths Limited accepts no liability > > > for any consequences arising from or as a result of reliance on this > > > message unless it is in respect of bona fide Truworths business for > > > which proper authorisation has been granted. > > > > > > Any recipient of an unacceptable communication, a chain letter or > > > offensive material of any nature is requested to notify the Truworths > > > e-mail administrator ([EMAIL PROTECTED]) immediately in order that > > > appropriate action can be taken against the individual concerned. > > > > > > ================================================================== > > > ========= > > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > > > JSP-INTEREST". > > > For digest: mailto [EMAIL PROTECTED] with body: "set > > > JSP-INTEREST DIGEST". > > > Some relevant FAQs on JSP/Servlets can be found at: > > > > > > http://archives.java.sun.com/jsp-interest.html > > > http://java.sun.com/products/jsp/faq.html > > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > > http://www.jguru.com/faq/index.jsp > > > http://www.jspinsider.com > > > > > > > > ========================================================================== > > = > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > > JSP-INTEREST". > > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST > > DIGEST". > > Some relevant FAQs on JSP/Servlets can be found at: > > > > http://archives.java.sun.com/jsp-interest.html > > http://java.sun.com/products/jsp/faq.html > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > http://www.jguru.com/faq/index.jsp > > http://www.jspinsider.com > -- > > It is the strict policy of Truworths that its e-mail facility and all > e-mail communications emanating therefrom, should be utilised for > business purposes only and should conform to high professional and > business standards. Truworths has stipulated certain regulations in > terms whereof strict guidelines relating to the use and content of > e-mail communications are laid down. The use of the Truworths e-mail > facility is not permitted for the distribution of chain letters or > offensive mail of any nature whatsoever. Truworths hereby distances > itself from and accepts no liability in respect of the unauthorised > use of its e-mail facility or the sending of e-mail communications > for other than strictly business purposes. Truworths furthermore > disclaims liability for any unauthorised instruction for which > permission was not granted. Truworths Limited accepts no liability > for any consequences arising from or as a result of reliance on this > message unless it is in respect of bona fide Truworths business for > which proper authorisation has been granted. > > Any recipient of an unacceptable communication, a chain letter or > offensive material of any nature is requested to notify the Truworths > e-mail administrator ([EMAIL PROTECTED]) immediately in order that > appropriate action can be taken against the individual concerned. > > ================================================================== > ========= > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > JSP-INTEREST". > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST > DIGEST". > Some relevant FAQs on JSP/Servlets can be found at: > > http://archives.java.sun.com/jsp-interest.html > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.jsp > http://www.jguru.com/faq/index.jsp > http://www.jspinsider.com > > ================================================================== > ========= > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > JSP-INTEREST". > For digest: mailto [EMAIL PROTECTED] with body: "set > JSP-INTEREST DIGEST". > Some relevant FAQs on JSP/Servlets can be found at: > > http://archives.java.sun.com/jsp-interest.html > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.jsp > http://www.jguru.com/faq/index.jsp > http://www.jspinsider.com > =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
