In my shopping cart application, I create a cart with a unique (random) id and track the request type (secure/non-secure).
If they invoke the program from an SSL request, and the previous request was non-SSL then I create a new cart with a new unique ID, copy the information from the insecure cart, and then delete the old cart. If someone tries to come back with the old cart id, then that cart just doesn't exist and they get a new cart. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 > -----Original Message----- > From: Joey Geiger [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 15, 2006 11:50 AM > To: 'Tomcat Users List' > Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) > > >>You do realize that sessions don't carry over between SSL > and non-SSL > >>request don't you? > > What is the proper/best way to go about this then, since I > will be facing a > similar situation in the near future? (Shopping cart bean, > customer bean > saved in the session.) > > Thanks. > > > -----Original Message----- > From: George Sexton [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 15, 2006 12:17 PM > To: 'Tomcat Users List'; [EMAIL PROTECTED]; > [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) > > You do realize that sessions don't carry over between SSL and non-SSL > request don't you? > > You can't have a session ID that carries over from a non-ssl > session to an > SSL session because that session ID is compromised (it has > been exposed) as > plain text. > > As an aside, I looked at your form. You should really use > HttpServletRequest.getLocale() to pick up your user's locale and then > provide date formatting for the user locale. > > George Sexton > MH Software, Inc. > http://www.mhsoftware.com/ > Voice: 303 438 9585 > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
