Thank you, that's what I think, but I can't make it why it was working on
Tapestry 5.0.14. I think that it's not Tapestry related problem, but only
Tapestry version changed - no browser, Tomcat or another.
Making app accessible on https only is last option which I would like to
avoid :)
čt 19. 3. 2015 v 18:00 odesílatel Kalle Korhonen kalle.o.korho...@gmail.com
napsal:
On Thu, Mar 19, 2015 at 9:41 AM, Martin Polívka martasdx@gmail.com
wrote:
Hi, I am quite new to Tapestry, but last month I am upgrading our app
from
Tapestry 5.0.14 to 5.3.8. It's working now with one problem.
We use Tomcat 7, servlet 3.0 (in the future Tomcat 8 and servlet 3.1) and
Java 7. Tomcat listens on http (8080) and https(8443). If I use https,
everything is OK.
If I use http, I enter login page off app and SessionState object is
created. I can see Session ID (equals X). It's done
by contributeApplicationStateManager function in Module. Another
contribute
is for URL (contributeServiceOverride) where we use only https
connection.
That's because we want all ajax requests to go over https even if user is
on http.
So if user log in, session and cookie is created with atribute httpOnly
and
if I send ajax request to https, another session is created by Tapestry.
Is it possible to access the http session in https request?
In general, no, it's not possible. This is a security issue and it's not
related to Tapestry. Container-specific configuration may allow
joining/sharing sessions on the servers (I recall having done something
similar in the past with Tomcat). I'd advise simply using https everywhere,
it'll make your life easier.
Kalle
