I have modified Tomcat 4 to permit sessions that span HTTP and HTTPS. The changes are not difficult, but you must implement your own mechanism to prevent session hijacking. Non-secure JSESSIONID cookies create a security hole.
The committees are supposed address the security vs. state management issue in the next Servlet Spec.
Regards, Bob Feretich
I have a servlet/JSP application in which users establish their servlet session using https but conduct the rest of their interactions using http. The session appears not to be preserved between https and http, ie. after switching from back to http the request.getSession(false) call returns null. Can anyone shed light on this for me? Is this expected? Is there a workaround/configuration/setting in Tomcat 5 I might have missed?
Thanks
Anthony
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]