You are right Manuel, Tomcat 4.0.2 using SSL unfortunately always sets a &Secure flag on JSESSIONIDs, which do not (depending on browser) allow you to do this https->http switch.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6983 A Macintosh using IE 5 cannot even obtain a _standard_ SSL jsession due to this. This is why I have requested this behavior to become an option. The option would actually disable a cookie-RFC compliant feature, but so what, if you cannot get things to work? cheers, Anders ----- Original Message ----- From: "Manuel Mall" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 26, 2002 11:17 Subject: Session lost when switching from https to http in Tomcat 4 Has the session semantic changed between Tomcat 3 and Tomcat 4? We have a servlet/JSP application in which users establish their servlet session using https but conduct the rest of their interactions using http. This works fine under Apache 1.3.22 with Tomcat 3.2.1 connecting using ajp12. After upgrading to Tomcat 4.0.3 now using ajp13 the session appears not to be preserved between https and http, ie. after switching back to http the request.getSession(false) call returns null. This seems to indicate that the session tracking mechanism has changed between Tomcat 3 and Tomcat 4. Can anyone shed light on this for me? Is this expected? Is there a workaround/configuration/setting in Tomcat 4 I might have missed? Thanks Manuel -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
