> > We've been examining the headers, but the server doesn't seem to send any > > cookies (in http it does, but not in https). I was assuming this was > > supposed to be done through some under-water process (I'm not very familiar > > with https), but the HttpState object does not contain any cookies in its > > cookie collection after the first request (in http it does). Is this normal? > > Some application servers (IBM Websphere 4.0.x for instance) can use SSL session > ID instead of a session cookie to lookup HTTP session data on the server side. > This certainly makes things more secure, as many exploits based on stealing or > faking the session cookie are rendered impossible.
I see, so the reason I don't see cookies in OC4J might be because they use this method. Do you know if (and how) HttpClient supports this type of session? Thanks, Arjan --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
