I've been having the same issues others have been asking about. This
discussion has been useful, but...
=== What is a viable workaround for switching to http from https once
the user is authenticated? And is that idea unreasonable (see use
case below).
My main concern is that sending
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Lloyd,
DIGLLOYD INC wrote:
| What is a viable workaround for switching to http from https once
| the user is authenticated?
Simple: make sure that the user has a session before you switch into
HTTPS mode.
- -chris
-BEGIN PGP SIGNATURE-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
André Warnier wrote:
| thank you for the explanations below. And I apologise if I answered
| rather testily before.
It happens. Just remember that Mark happens to be a Tomcat dev, so he's
in a position to know the Truth ;)
- -chris
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
Sorry, one more comment:
André Warnier wrote:
| Off-topic : Are you sure that can really happen ? I must admit that I
| have never seen that behaviour before, and it seems to me that it would
| create a host of other problems (such as
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
Martin wrote:
| If you're in a secure location that disallows cookies..you can always
| try url-rewrite
Dude. The container does URL rewriting without requiring other tools.
Stop confusing people with this junk.
- -chris
-BEGIN PGP
Christopher Schultz wrote:
André,
André Warnier wrote:
| thank you for the explanations below. And I apologise if I answered
| rather testily before.
It happens. Just remember that Mark happens to be a Tomcat dev, so he's
in a position to know the Truth ;)
Not that that means I am always
krusek schrieb:
We use tomcat forms authentication and it is cookies being used.
There are 3 cookies, JSESSONIDSSO, test and JSESSONID.
Not sure how you tell if its marked secure? The test cookie is for testing
to assure cookies are enabled.
As explained below, my Firefox tells me, for
Johnny Kewl wrote:
Bill... Just lose the FORM authentication, replace it with DIGEST, or
even BASIC I think all your problems will go away.
I'm not exactly sure what you're saying. Are you saying that I shouldn't be
authenticating through a form?
Bill Davidson wrote:
I'm confused so I'm not sure what I say below makes sense.
If I'm reading these posts correctly, the cookie is issued by the
front end
(which is Apache web server). Since it is created on an https
session, it
is being marked as secure. When browser switches to a
BTW, I forgot to thank everyone for helping me to understand
what this problem better. Understanding that the cookie was
being created by Tomcat with the secure flag and that the flag
was causing the problem was the key.
Thanks everyone.
--Bill Davidson
-
From: Bill Davidson [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Monday, June 09, 2008 7:10 PM
Subject: Re: Session lost when switching from https to http after upgrade to
Tomcat 6
BTW, I forgot to thank everyone for helping me to understand
what this problem better
Martin wrote:
If you're in a secure location that disallows cookies..you can always
try url-rewrite
Sorry if I seem a bit dim but I don't understand how url-rewriting
helps me with cookie problems.
-
To start a new topic,
- Original Message -
From: Bill Davidson [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Monday, June 09, 2008 7:17 PM
Subject: Re: Session lost when switching from https to http after upgrade to
Tomcat 6
Johnny Kewl wrote:
Bill... Just lose the FORM
Johnny Kewl wrote:
maybe moving from HTTPs to HTTP is just a bad idea.
No doubt. However, I didn't design this app and it's not up to me.
BTW, it's an old app. It's running on Tomcat 3.2.4 in production to
give you an idea of its age. We want to move to a newer server
first and then work on
- Original Message -
From: Johnny Kewl [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Tuesday, June 10, 2008 3:19 AM
Subject: Re: Session lost when switching from https to http after upgrade to
Tomcat 6
- Original Message -
From: Bill Davidson
- Original Message -
From: Bill Davidson [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Tuesday, June 10, 2008 3:43 AM
Subject: Re: Session lost when switching from https to http after upgrade to
Tomcat 6
Johnny Kewl wrote:
maybe moving from HTTPs to HTTP
Mark,
thank you for the explanations below. And I apologise if I answered
rather testily before.
Mark Thomas wrote:
André Warnier wrote:
Mark Thomas wrote:
André Warnier wrote:
A lot of speculation here, but who knows ?
Indeed. And it is all wrong.
Is that proven, or mere speculation
André Warnier wrote:
Mark,
thank you for the explanations below. And I apologise if I answered
rather testily before.
No problem. I can be a little short too sometimes.
The problem is that some clients (as a result of the ISP they are
using) change IP with every request.
Off-topic : Are
Mark Thomas wrote:
...
The problem is that some clients (as a result of the ISP they are
using) change IP with every request.
Off-topic : Are you sure that can really happen ? I must admit that I
have never seen that behaviour before, and it seems to me that it
would create a host of
I'm confused so I'm not sure what I say below makes sense.
If I'm reading these posts correctly, the cookie is issued by the front end
(which is Apache web server). Since it is created on an https session, it
is being marked as secure. When browser switches to a non-secure
page on the same
- Original Message -
From: Bill Davidson [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Monday, June 09, 2008 12:36 AM
Subject: Re: Session lost when switching from https to http after upgrade to
Tomcat 6
I'm confused so I'm not sure what I say below makes
André Warnier wrote:
Mark Thomas wrote:
André Warnier wrote:
A lot of speculation here, but who knows ?
Indeed. And it is all wrong.
Is that proven, or mere speculation on your part ?
That is fact. In the cases where Tomcat does do an internal redirect it
uses a RequestDispatcher.forward()
krusek wrote:
I have Apache 2 with SSL, mod_jk connection, and Tomcat. Everything has
worked peachy from one tomcat upgrade after another. However now I upgraded
to tomcat 6 and I am loosing the session when switching from https to http
within the same domain.
For clarity, Apache 2 is
:
http://www.nabble.com/Session-lost-when-switching-from-https-to-http-after-upgrade-to-Tomcat-6-tp17658157p17699292.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To start a new topic, e-mail: users
Hi.
A couple of emails ago, I think you showed the code that was doing a
redirect, and said that that was where it seemed to be losing the cookie.
Let me get back to a couple of my oen emails ago, just to set matters
straight : a cookie is a browser thing. If the browser has never seen
the
André Warnier wrote:
A lot of speculation here, but who knows ?
Indeed. And it is all wrong.
To my knowledge, there exists no case where the browser would not send a
cookie with every request, if it has it and it is valid.
Well, there is the obvious example Rainer has already given of
On Fri, Jun 6, 2008 at 15:11, krusek [EMAIL PROTECTED] wrote:
There are 3 cookies, JSESSONIDSSO, test and JSESSONID.
Not sure how you tell if its marked secure?
Some browsers can tell you this. Check your browser's documentation.
But what I don't understand is why it worked before - I thought
Mark Thomas wrote:
André Warnier wrote:
A lot of speculation here, but who knows ?
Indeed. And it is all wrong.
Is that proven, or mere speculation on your part ?
To my knowledge, there exists no case where the browser would not send
a cookie with every request, if it has it and it is
krusek wrote:
I have Apache 2 with SSL, mod_jk connection, and Tomcat. Everything has
worked peachy from one tomcat upgrade after another. However now I upgraded
to tomcat 6 and I am loosing the session when switching from https to http
within the same domain.
For clarity, Apache 2 is
not tomcat.
Does anyone know why this is happening?
Thanks!
Kevin
--
View this message in context:
http://www.nabble.com/Session-lost-when-switching-from-https-to-http-after-upgrade-to-Tomcat-6-tp17658157p17658157.html
Sent from the Tomcat - User mailing list archive at Nabble.com
30 matches
Mail list logo