I have observed the following repeatable behaviour. The behaviour seems odd to me, but it may be correct. I have yet to try it on tomcat 5 standalone. This on JBoss 3.2.3 and 3.2.4RC2
The web app has 3 pages index.jsp restricted.jsp (protected with form based container auth) logout.jsp (does session invalidate & requestdispatch forward to index.jsp) 1) access index.jsp on http (session1) 2) follow https link to restricted.jsp (session1) 3) follow https link to logout.jsp (session1) 4) now at https version of index.jsp with session2 5) do step 2 again (session2) 6) follow http link to index.jsp (session3!!! I would expect session2 still) To summarise: starting with an http link going to https retains the current session, but starting with https and going to http does not retain the session. I've read that old browsers don't retain sessions between http and https, but I'm using IE 6 patched up to date. Apologies that this isn't necessarily anything to do with JBoss but this is the only platform I've tried it on yet. It may be that the form based auth is an irrelevance - I've not done that simplification yet. Do any gurus have advice on this? Thanks Martin View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3829659#3829659 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3829659 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user