Hi Bob,
I can't switch to https in this case (not a technical problem). So where do I have to apply the changes
you suggested in my Tomcat 5.0.28 ? Where can I find the AuthenticatorBase code? And what do I have to change?
Regards,
Swen
I experienced as problem that might be similar to yours. I was testing with Netsacpe 7 (Mozilla based like Foxfire) and IE. My form authentication worked with IE, but not Netscape.
It occurred quite a while ago (using Tomcat 4.1.x), so I am not clear on the exact details. My debug showed that Netscape was not handling the session cookies the same way as IE. I think that Netscape only returned non-secure cookies via a non-secure port (80 for me).
1) I would start a session on a non-protected page (http - port 80).
2) The user would select a link to a protected page.
3) Control would be passed to my login form (https - port 443), but the non-secure jsessionid cookie would not be received, so Tomcat would start a new session and store a secure jsessionid cookie.
I think this is a bug in both the Mozilla and Tomcat.
Netscape should return a cookie stored by port 80 cookie on port 443 as long as the stored cookie is not designated for port 80 only.
Tomcat should follow RFC-2964 "Use of HTTP State Management" and never be mark session tracking cookies "secure". We may have to wait for RFC-2965 to be adopted before all this gets fixed.
If this is your problem, you can either run your whole application under https or zap the Tomcat AuthenticatorBase code. I think I changed it to:
1) append ";jsessionid=..." to URLs when they are redirected to the https port.
2) remove the addition of the redirectPort to that same URL.
Regards, Bob Feretich
Peter Neu wrote:
Hello everybody,
I'm using form authentication to log on the users to my website. Until now I was using Mozilla Firefox for developement but now I came across this problem that Firefox doesn't allow a clean log in and always redirects to the error.jsp. The authentication is correct because it works with the IE.
Does anyone have this problem, too ? If not this means I can't serve any Firfox clients.
Regards,
Peter
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
