Am 08.01.16 um 11:43 schrieb Olaf Kock:
Is there any chance that the first and correctly authenticated cookies (despite the debug output "secure=false") are https-only cookies and won't get transmitted in http, thus triggering new sessions? E.g. any chance they get rewritten at another level (Apache httpd, ServletFilter, others) to be secure only - or that the debug output is slightly incorrect because it omits the secure flag?
This is from a test installation on the productive server where it can only be observed. For simplicity I use the maven cargo plugin to setup the tomcat here. It shows the same behavior on the productive server, where it uses HTTPS in combination with Apache HTTPD.
I use BeanUtil.describe() to produce the cookie String. So this should all be correct.
This error comes up on every browser with at least a certain number of request to that servlet. It has something to do with a race condition or side effect I'm not aware off.
If I do not use container authentication, HTTP sessions won't get lost. Hunting this bugs for so many weeks now and ran out of ideas. regards, Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org