Tomcat handles user sessions (HttpSession) separately from SSL session. In other words, JSessionID is being generated independently from SSL. There is no relationship between an SSL session and the user session at the application level. You still have to use the same JSessionID (either implemented as a cookie or using url-rewriting) to access HttpSession even if SSL is turned on.
ND -----Original Message----- From: Jess Holle [mailto:[EMAIL PROTECTED] Sent: Monday, January 09, 2006 12:10 PM To: Tomcat Users List Subject: Re: AW: JSessionID Conveying servlet sessions by SSL session is clearly not required by the spec, though... I'm not sure whether Tomcat supports this... Bernhard Slominski wrote: >Hi, > >I just looked it up in the spec and there is a 3rd one as well: SSL Sessions > >>From the Servlet spec: > >"SRV.7.1 Session Tracking Mechanisms >The following sections describe approaches to tracking a user's sessions > >SRV.7.1.1 Cookies >Session tracking through HTTP cookies is the most used session tracking >mechanism and is required to be supported by all servlet containers. >The container sends a cookie to the client. The client will then return the >cookie on each subsequent request to the server, unambiguously associating >the >request with a session. The name of the session tracking cookie must be >JSESSIONID. > >SRV.7.1.2 SSL Sessions >Secure Sockets Layer, the encryption technology used in the HTTPS protocol, >has a >built-in mechanism allowing multiple requests from a client to be >unambiguously >identified as being part of a session. A servlet container can easily use >this data to >define a session. > >SRV.7.1.3 URL Rewriting >URL rewriting is the lowest common denominator of session tracking. When a >client will not accept a cookie, URL rewriting may be used by the server as >the basis >for session tracking. URL rewriting involves adding data, a session ID, to >the URL >path that is interpreted by the container to associate the request with a >session. >The session ID must be encoded as a path parameter in the URL string. The >name of the parameter must be jsessionid. > >..." > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
