Thank you, that's what I think, but I can't make it why it was working on Tapestry 5.0.14. I think that it's not Tapestry related problem, but only Tapestry version changed - no browser, Tomcat or another. Making app accessible on https only is last option which I would like to avoid :)
čt 19. 3. 2015 v 18:00 odesílatel Kalle Korhonen <kalle.o.korho...@gmail.com> napsal: > On Thu, Mar 19, 2015 at 9:41 AM, Martin Polívka <martasdx....@gmail.com> > wrote: > > > Hi, I am quite new to Tapestry, but last month I am upgrading our app > from > > Tapestry 5.0.14 to 5.3.8. It's working now with one problem. > > We use Tomcat 7, servlet 3.0 (in the future Tomcat 8 and servlet 3.1) and > > Java 7. Tomcat listens on http (8080) and https(8443). If I use https, > > everything is OK. > > If I use http, I enter login page off app and SessionState object is > > created. I can see Session ID (equals X). It's done > > by contributeApplicationStateManager function in Module. Another > contribute > > is for URL (contributeServiceOverride) where we use only https > connection. > > That's because we want all ajax requests to go over https even if user is > > on http. > > So if user log in, session and cookie is created with atribute httpOnly > and > > if I send ajax request to https, another session is created by Tapestry. > > Is it possible to access the http session in https request? > > > > > In general, no, it's not possible. This is a security issue and it's not > related to Tapestry. Container-specific configuration may allow > joining/sharing sessions on the servers (I recall having done something > similar in the past with Tomcat). I'd advise simply using https everywhere, > it'll make your life easier. > > Kalle >