This is the way Tomcat 4.x.x is made to work. The reason for this is security. I think it can be assumed that you were under https for a reason. Maybe you entered your cedit card info and are storing that in the session until the final submit. Now, if you stayed in the same session when moving to http from https, your session id is in plain text. This can be hijacked by anyone sniffing network packets. Once they have your session id, theoreticaly, they have full access to everything you entered in that session including your credit card info. This is a *huge* security issue and Tomcat. Even if Tomcat-3.3.x allows you to do this, you would be wise to dump the session on your own before moving to http for your users' security.
Obviously, this requires that you rethink some of your application flow, but Tomcat-4.x.x is doing the right thing here. Jake At 02:28 AM 10/17/2002 +0000, you wrote: >Help! > >I recently tried to upgrade my version of Tomcat from 3.3 to 4.1(I also >tried 4.0). My problem is that for some reason the httpsession is lost >after redirection from https to http. I run apache in front of tomcat to >handle static content plus certificate. My webapp depend on the ability to >login a user of secure connection then redirect to an unsecure connection. >I do the usual >res.sendRedirect(res.encodeRedirectURL.....)). But after redirecting to >http protocol (to the same webapp context) the http session is null. >My webapp workes fine in Tomcat 3.3. Nothing has changed except tomcat >version and of course the tomcat conf. files. I've tried both the Coyote >connector and the ajp13 one. mod_jk and mod_jk2(which I couldn't get >working) on the apache side. I've tried Apache 1.3 and Apache 2. And I am >going insane. >My server.xml file is close to the default one, I've only added my >context(defining docbase and such). For 3.3 this worked like a charm. >Anyone?? > >-Henrik > > >_________________________________________________________________ >Protect your PC - get McAfee.com VirusScan Online >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > >-- >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
