Hello folks... I have something that I'm just completely stumped on....while Google has been my best friend the last 5 hours, I still haven't found a solution.
The problem: When going from http://mydomain/whatever.jsp to https://mydomain/secureArea/anything.jsp Funny things happen. Basically...this is the scenario: A user goes from an unsecure page to the secure area (https), and logs in. Upon succes, I populate the user object (session accessible bean) with all the yummy info I need (user_id, name, etc). When I go BACK to an http url from the secure https part, I don't have my session data for that user anymore :( I actually checked my database where I store session id's, and when they go from http to https to log in, Tomcat creates a new session, thereby blanking out my session I created previously. I'm using Apache, and I have Tomcat integrated as the backend jsp/servlet processor using mod_webapp to connect to tomcat. In Apache, the website has two virtual host entries (one for port 80, one for port 443), which is needed by apache to distinguish what protocol to use & when. In Tomcat's server.xml the site has just one context declared within a <host> attribute for that site. Both of these virtual hosts directives connect to the same webapp connector for this Context when passing requests to Tomcat 4. In Tomcat's server.xml, I have the Apache Tomcat connector defined, and I have included the secure="true" attribute to allow for secure connecting. I need Tomcat to use the same session when accessing any page on the site...over http or https. How can I make this happen? Am I configuring the virtual hosts in Apache incorrectly? (I don't think so, but if there is some slick way to have one virtual host listen to 2 port numbers in Apache from one vhost declaration, I'm all ears). Do I need another webapp connection to tomcat instead of using just one? One for http requests, one for https requests? I don't think this is correct either, since it says in the Tomcat documentation that Tomcat doesn't have to know about the connections if a server like Apache/IIS is already doing the ssl encryption/decryption stuff prior to sending stuff to Tomcat (which is what is happening). Do I have to do anything with the portRedirect attribute in the Apache-Tomcat connector? I know you can use this to automatically direct http to https connections. But until this session sharing problem is fixed, redirecting won't help me. Summary: How do I use the same session data from one https page to another http page and vice versa for the same user without creating a new session? If you can even remotely help me, I'll be your best friend. My mom makes some pretty good pie too... mmmm....pie. Thanks a TON for anything you folks can point out! Les Hazlewood -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>