-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bill,
Bill Davidson wrote:
| One other thing I just noticed. The login servlet runs
| under https. After successful login, including creating a valid
| session, it calls
|
HttpServletResponse.sendRedirect("http://myHost.myDomain.com/context/servlets/main";);
|
| which is the one that ends up with no cookie.
Unfortunately, this is expected behavior. If the JSESSIONID cookie is
created for the first time during an HTTPS transaction, then the cookie
will me marked as "secure", and the browser will not send it when
switching back to non-SSL HTTP.
You have two options, here:
1. Make sure that the user has a session /before/ going into SSL mode
or
2. Make everything after login use SSL
Neither choice is particularly appetizing. :(
You might be able to write a filter to adjust the "secure" bit on the
cookie as it goes out the door, but I can't guarantee that would work.
I'm unsure of the security implications, there, either, but I suspect
they are not too bad.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkhNVwQACgkQ9CaO5/Lv0PAUGQCfehJgt99wZS9ItEvCCf5Gv3U/
pSoAn07PTth6+tRUOObbSWjLUBke8dK0
=Z7p5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
