Neil: I think this has been discussed on this list. You can check the archives.
It sounds like what you want is to be able to split the https session from http activity during browsing, so that a single user could, for instance, view non-sensitive information from an ordinary catalog page while filling in an order form, without having to open up Netscape and Opera to run two separate sessions. There may be a place where you could patch (your own copy of) Tomcat to allow the server to try to do that. I seem to recall something like that mentioned on this list recently. I also seem to recall browser issues mentioned in that context. I don't really have any experience in this, but I think it wise to urge due caution. There are a lot of ways to unwittingly open the https session to prying eyes by running http activity in parallel, especially if your http pages have any awareness of the https session in progress. I may be way off base, but I think it is those dangers that might influence a design decision to lose session information when switching back and forth. That way, the programmers have to _explicitly_ define and implement their own security/privacy policies. Joel Rees Alps Giken Kansai Systems Develoment Suita, Osaka Neil Aggarwal wrote: > Joel: > > In that case, I would argue that the design is mismatched to > the actual usage of web applications. > > Thanks, > Neil. > > -- > Neil Aggarwal > JAMM Consulting, Inc. (972) 612-6056, http://www.JAMMConsulting.com > Custom Internet Development Websites, Ecommerce, Java, databases > > > > -----Original Message----- > > From: Joel Rees [mailto:[EMAIL PROTECTED]] > > Sent: Sunday, April 14, 2002 10:35 PM > > To: Tomcat Users List > > Cc: [EMAIL PROTECTED] > > Subject: Re: Session Tacking across hostnames? > > > > > > Neil Aggarwal wrote: > > > > > For an application we are building, we are using a shared SSL > > certificate > > > so the hostname has to be different for http and https. For example, > > > public pages are loaded from > > http://www.futurescope.com/fscope/myPage.jsp > > > and private pages are loaded from > > > http://www.JAMMConsulting.com/fscope/privatePage.jsp > > > > > > Unforutnately, when we switch from http to https or vice versa, we lose > > > track of the session. Is there a way to keep the session is this > > > instance? > > > > I think that's by design. See the mailing list archives for some > > discussion > > of why. > > > > Joel Rees > > Alps Giken Kansai Systems Develoment > > Suita, Osaka > > > > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
