We have found the problem. Our deployment process misconfigured the jvmRoute tag in the server.xml. All tomcats had the same jvmRoute name and therefore the mod_jk loadbalanced the change of the protocol to a different server. The new server did not know the session, initiated a new one and used the presented JSESSIONID value for the new session and cookie.
After assigning a unique name to each server (node01, node02, ....) in the jvmRoute tag, the behaviour is a expected. A session established over http sets the cookie with secure=no and this remains no over protocol changes. We are sorry for any disturbence our question might have caused. With kind regards, christian kupferschmid -----Original Message----- From: Kupferschmid Christian [mailto:[EMAIL PROTECTED] Sent: Wednesday, 28. February 2007 17:02 To: [email protected] Subject: Tomcat 5.5 JSESSIONID gets overwritten with same value but flaged 'secure' when switching from http to https Hi We are trying to get around the following problem: We have a bunch of apaches running mod_jk in front of an JBoss farm. The application requires a login to get a valid session. Research in the Internet has schown the information the in oder to maintain a session over http and https the JSESSIONID must be established during an http reqeust. This is to get the cookie not marked as 'secure', so the the browser can send the cookie over both connections (http and https). So we provide the login page in http delivered out of the tomcat, thus getting an JSESSIONID with 'secure=no'. The following POST then uses https to transport the username and password for login. What we see now is that when the session switches from http to https the JSESSIONID cookie gets overwritten with the same value (the ID) but the secure flag is now set to 'true'. The user gets then dropped out of his session when the application switches back to http. The flow is like this: http (cookie gets set with flag 'secure=no') -> https (cookie gets reset with flag 'secure=yes') -> http (session context gets lost, due to browser does not send the jsessionid cookie to the server) How can we prevent to get the cookie reset with 'secure=yes' when switching to https and already having a established sessionid? Help would be appretiated. With kind regards, christian kupferschmid --------------------------------------------------------------------- To start a new topic, e-mail: [email protected] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
