Chris, On Fri, Mar 13, 2009 at 5:14 PM, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Gregor, > > On 3/13/2009 11:42 AM, Gregor Schneider wrote: >> So would following scenario work? >> >> - login using form-based login via https >> >> - when successful: >> HttpSession session = request.getSession(); >> // guess that shoudln't happen >> if (session != null) { >> session.invalidate(); >> } >> session = request.getSession (true); >> >> Looks ok to me - you comments? > > I don't see how this could work. Immediately after login you invalidate > the session, thus logging-out the user. >
Duuh... you're right: Invalidated the session logs the user out. > Here's what you want to do: > [ snip ] > > I think that will make it all work. > So will I then be able to access the HttpSession-object created when inside HTTPS (login-page) when I'm querying it from within a JSP served via plain HTTP? That was the problem Chuck mentioned, and this I tried to solve with my - silly - suggestion from above? Actually I don't think so. What I'm just wondering is: I sees quite some pages using HTTPS for Authorization (Form-based), but once authorized, they serve via HTTP. How just simply do they do that? Rgds Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org