Re: how to use different session id from http to https
Dave [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I am using JBoss 4.0.5GA. Cookie-based session tracking is used. Starting with http, when user clicks login, redirect to https, but the same session id is used for https. It is not safe. after calling session.invalidate(), the sessoin id in the cookie is used for https. If the jsessionid cookie is set to empty string after session.invalidate() session.invalidate(); Cookie cookie = new Cookie(jsessionid, ); response.addCookie(cookie); Why not simply: session.invalidate(); session = request.getSession(true); The jsessionid cookie is changed to the empty string in browser. But the empty string will be used to create the new https session. I hope tomcat to generate a new unique session id. Is there a way to delete cookie? for security reason, how to set a different session id for https when redirecting from http to https? Thanks for help. Dave - Never miss a thing. Make Yahoo your homepage. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to use different session id from http to https
session.invalidate(); session = request.getSession(true); The new session will have the same session id. Bill Barker [EMAIL PROTECTED] wrote: Dave wrote in message news:[EMAIL PROTECTED] Hi, I am using JBoss 4.0.5GA. Cookie-based session tracking is used. Starting with http, when user clicks login, redirect to https, but the same session id is used for https. It is not safe. after calling session.invalidate(), the sessoin id in the cookie is used for https. If the jsessionid cookie is set to empty string after session.invalidate() session.invalidate(); Cookie cookie = new Cookie(jsessionid, ); response.addCookie(cookie); Why not simply: session.invalidate(); session = request.getSession(true); The jsessionid cookie is changed to the empty string in browser. But the empty string will be used to create the new https session. I hope tomcat to generate a new unique session id. Is there a way to delete cookie? for security reason, how to set a different session id for https when redirecting from http to https? Thanks for help. Dave - Never miss a thing. Make Yahoo your homepage. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Looking for last minute shopping deals? Find them fast with Yahoo! Search.