I've been watching this thread with some interest, because I have had no difficulty using cookie-based sessions on Tomcat 4.0.1 with Mac OS X and IE.
Judging from the headers you reproduced in your email, it would appear the Tomcat has been configured in such a way as to treat the session cookie as secure, which means that it should ONLY be sent over an encrypted connection. As a result, the browser will NOT send the cookie over a regular HTTP session, so if you switch back and forth between regular HTTP and HTTP/SSL (i.e., "https"), the requests will not use the same session. In order to maintain sessions across HTTP and HTTPS, we use a non-secure cookie as the session ID (I think this is the default, anyway). Once someone logs in, which we only allow to occur over SSL, we and set a secure cookie with a randomly-generated value in the response. After that, we redirect all traffic that requires a logged-in user to HTTPS, and only treat them as really logged in if the secure cookie is present, and matches the value generated by us when they logged in. This allows us to switch the browser back and forth between HTTP and HTTPS at will, and only require the user to log in once per session. The system described above relies on correct behavior of cookies on the Mac in IE, and it works for us. I don't know if any behavior on the Tomcat side has changed since 4.0.1, but I would tend to doubt it. Why are you using a secure cookie for the session cookie? Do you need to? If so, you can't expect the session to remain intact across HTTP and HTTPS requests. Any browser that DOES send a secure cookie over a straight HTTP request is dangerously out of spec. On 3/8/02 10:32 AM, "Anders Rundgren" <[EMAIL PROTECTED]> wrote: > Just done! No cookies are sent from IE which means that TC is likely > to send something IE 5 Mac does not understand. "Secure" is an addition that > TC offer but not IIS. Secure is though RFCxxxx-compliant so maybe IE 5/mac > *is* broken. > > TOMCAT > ----------- > Date: Fri, 08 Mar 2002 15:00:42 GMT > Server: Apache/1.3.23 (Unix) mod_ssl/2.8.6 OpenSSL/0.9.6 mod_jk/1.2.0 > EXPIRES: Thu, 01 Jan 1970 00:00:00 GMT > Set-Cookie: JSESSIONID=7C1F8E3DD950780CA775B3EB3AE74D16;Path=/BuyerASP;Secure > Connection: close > Content-Type: text/html > > IIS > --- > Server: Microsoft-IIS/5.0 > Date: Fri, 08 Mar 2002 15:13:12 GMT > Connection: Keep-Alive > Content-Length: 1443 > Content-Type: text/html > Expires: Fri, 08 Mar 2002 15:12:12 GMT > Set-Cookie: ASPSESSIONIDGQQGGWNY=INDLBBEAKPOBKEMFDDDHAFCM; path=/shop > Cache-control: private -- +-------------------------------------------------------------------+ | Dave Makower <[EMAIL PROTECTED]> | | http://www.davemak.com/ | +-------------------------------------------------------------------+ -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
