"Jess Holle" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Conveying servlet sessions by SSL session is clearly not required by the > spec, though... > > I'm not sure whether Tomcat supports this... >
It doesn't (mostly because nobody has been interested enough to write the code for it). > Bernhard Slominski wrote: > >>Hi, >> >>I just looked it up in the spec and there is a 3rd one as well: SSL >>Sessions >> >>>From the Servlet spec: >> >>"SRV.7.1 Session Tracking Mechanisms >>The following sections describe approaches to tracking a user's sessions >> >>SRV.7.1.1 Cookies >>Session tracking through HTTP cookies is the most used session tracking >>mechanism and is required to be supported by all servlet containers. >>The container sends a cookie to the client. The client will then return >>the >>cookie on each subsequent request to the server, unambiguously associating >>the >>request with a session. The name of the session tracking cookie must be >>JSESSIONID. >> >>SRV.7.1.2 SSL Sessions >>Secure Sockets Layer, the encryption technology used in the HTTPS >>protocol, >>has a >>built-in mechanism allowing multiple requests from a client to be >>unambiguously >>identified as being part of a session. A servlet container can easily use >>this data to >>define a session. >> >>SRV.7.1.3 URL Rewriting >>URL rewriting is the lowest common denominator of session tracking. When a >>client will not accept a cookie, URL rewriting may be used by the server >>as >>the basis >>for session tracking. URL rewriting involves adding data, a session ID, to >>the URL >>path that is interpreted by the container to associate the request with a >>session. >>The session ID must be encoded as a path parameter in the URL string. The >>name of the parameter must be jsessionid. >>..." >> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]