On 14/09/2010 15:16, Christopher Schultz wrote: I'm in the middle of some major re-factoring so I don;t have time to actually test this...
> 0. [Browser has two JSESSIONID cookies: one secure=true and one > secure=false] This I doubt. When testing load-balancing on a single machine, I have seen browsers send the same cookie to two Tomcat instances that only differ by port number. I suspect https and http will be treated the same way and one cookie will just overwrite the other. You should test that to be sure though. > 1. Browser makes an HTTPS connection to the server and sends both cookies > 2. Application code calls request.getSession() Assuming browsers behave the way I think they will, this should be a non-issue. If they don't it will get 'interesting'. Either way you'll need to experiment to be sure. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org