> We've been examining the headers, but the server doesn't seem to send any > cookies (in http it does, but not in https). I was assuming this was > supposed to be done through some under-water process (I'm not very familiar > with https), but the HttpState object does not contain any cookies in its > cookie collection after the first request (in http it does). Is this normal?
Some application servers (IBM Websphere 4.0.x for instance) can use SSL session ID instead of a session cookie to lookup HTTP session data on the server side. This certainly makes things more secure, as many exploits based on stealing or faking the session cookie are rendered impossible. Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
