On 15/09/05, Leon Rosenberg <[EMAIL PROTECTED]> wrote: > Hi, > > I don't know if this fits, but could it be, that your problem is > related to the tomcat session synchronization bug? > > http://issues.apache.org/bugzilla/show_bug.cgi?id=36541 >
That does look like a potential issue. However, I think I may have tracked this down to cookies and switching between HTTP and HTTPS. There are two scenarios: 1) User starts at an HTTP page and is given a cookie. This cookie can be used in secure and non secure requests. 2) User starts at an HTTPS page and is given a cookie. This cookie is only valid for secure requests (because it has Set-Cookie: .... ;Secure in the response header). When a user is redirected to an HTTP page they are given a *new* cookie and a new HttpSession is created on the server. Can you tell me the exact semantics of the secure attribute on the <connector> element? The documentation just says "Set this attribute to true if you wish to have calls to request.isSecure() to return true for requests received" Thanks James Shaw > > On 9/15/05, James Shaw <[EMAIL PROTECTED]> wrote: > > On 14/09/05, James Shaw <[EMAIL PROTECTED]> wrote: > > > I have two issues relating to sessions: > > > > > > 1) Sessions seem to be expired too soon. This happens very > > > infrequently for me (perhaps 1 in 1000 requests). I'm adding some > > > HttpSessionListeners and HttpSessionAttributeListeners to attempt to > > > locate this problem, but have little to go on at the moment. > > > > > I have some more info on this problem. During the login process, the > > original JSESSIONID that tomcat gives to the browser is being lost and > > a new HttpSession with a new id is being created. So either the > > browser is not sending the cookie containing the session id, or Tomcat > > is somehow losing the id. > > > > Does anyone have an idea what this problem could be? Perhaps you > > could point me to some information about how Tomcat receives cookies > > and maps these to their respective HttpSession objects. > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]