Chris,
On Fri, Mar 13, 2009 at 5:14 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Gregor,
>
> On 3/13/2009 11:42 AM, Gregor Schneider wrote:
>> So would following scenario work?
>>
>> - login using form-based login via https
>>
>> - when successful:
>> HttpSession session = request.getSession();
>> // guess that shoudln't happen
>> if (session != null) {
>> session.invalidate();
>> }
>> session = request.getSession (true);
>>
>> Looks ok to me - you comments?
>
> I don't see how this could work. Immediately after login you invalidate
> the session, thus logging-out the user.
>
Duuh... you're right: Invalidated the session logs the user out.
> Here's what you want to do:
>
[ snip ]
>
> I think that will make it all work.
>
So will I then be able to access the HttpSession-object created when
inside HTTPS (login-page) when I'm querying it from within a JSP
served via plain HTTP?
That was the problem Chuck mentioned, and this I tried to solve with
my - silly - suggestion from above?
Actually I don't think so.
What I'm just wondering is:
I sees quite some pages using HTTPS for Authorization (Form-based),
but once authorized, they serve via HTTP.
How just simply do they do that?
Rgds
Gregor
--
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
