David Oxley typed the following on 01:07 PM 2/8/2001 +0000
>>I sort-of understand what you're doing, but I'm not clear on a couple of
>details.
>>What do you mean when you say you've "coded a request"? How exactly is
>>the session ID passed from the original host to the new host, is this by a
>>form field embedded into the HTML, or is it all on the server side?
>
>Like URL-Encoded session management. The host passes our session id back to
>the server when changing hosts so that it can be connected to the new
>HttpSession.
>
>Doesn't normal session management have exactly the same problem. When
>writing an E-Commerce system the basket is normally chosen on an unsecure
>host and then the user is put on to a secure host to checkout their
>products. You need to be able to id the user between the two hosts. There
>has to be a 'secure' way of doing this?!?!
It's problematic, because some browsers (I don't recall which) will send a
cookie that was set by http://foo.com to https://foo.com, and some won't.
Maybe somebody else can shed light on this.
Kief
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
