if your client doesnt want to write cookies
URL-rewrite is the answer
http://tuckey.org/urlrewrite/
Apache analog is mod_rewrite
HTH
Martin
----- Original Message -----
From: "André Warnier" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Thursday, June 05, 2008 7:56 PM
Subject: Re: Moving from a very old Tomcat to a new Tomcat.
Bill Davidson wrote:
Christopher Schultz wrote:
Are you using cookies or URL-rewriting (or both) for your application?
Can you use a tool like LiveHTTPHeaders to observe the headers being
exchanged during the interaction described above?
We are using cookies to track sessions. I don't think we're using URL
rewriting. Servlets and jsp's are handed off to Tomcat. Everything else
is Apache httpd.
We seem to be losing the cookie when a page being served from the SSL
virtual host forwards to a page that is not SSL (back in the regular host
on
port 80). No cookie means the server doesn't know that the browser is
attached to the session it created for the user.
This may not be the cause of your problem, but I remember vaguely that
there can be a flag in a cookie saying "for SSL only". If such was the
case, the browser may just decide to not send the cookie anymore, even to
the same host, once you switch back to a non-SSL connection.
"losing the cookie" is also maybe a misnomer here. The entity that "has
the cookie" and decides to send it or not is the browser. The only way
the server can tell the browser to "lose a cookie", is by resending the
same cookie with an expiration date in the past. That should cause the
browser to delete the cookie and not send it anymore.
What I mean is : to "set a cookie in the browser", the server sends a
"Set-Cookie" HTTP header to the browser, along with some normal result
page. It does this once (or more, but once is enough). After that, the
browser will always send back the cookie with each request to the same
server, as a "Cookie:" HTTP header, until this cookie expires. When the
expiration date/time of the cookie is reached, the browser purges the
cookie from its memory, and that is when it stops sending it.
There is no "Unset-Cookie" or "Stop-sending-this-cookie" HTTP header that
the server can send to the browser.
My lack of Apache skills is no doubt showing. Is there a way to have
Apache 2.2 serve both 80 (clear) and 443 (SSL) from the primary
host instead of a virtual host? I'm guessing that the switch from the
virtual host to the main host (both with the same hostname and IP but
listening on different ports) is what's causing the cookie to get lost.
As far as I know, a cookie is not port-specific. Host or domain-specific
yes, but port not.
------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
