Hello Jean, are the two links *exactly* the same, apart from the protocol? In other words, does "somelink" in your examples refer to the same, fully qualified host name for both links? Does the https authentication URL really have no path, or did you remove it to obfuscate sensitive information? Since it's not the secure flag, my next two guesses would be:
1. mismatching host/domain names 2. mismatching path As Mike suggested, a wire log would provide us with the exact definition of the cookie and of the URLs. If you have to obfuscate the URLs, please keep structural information intact: https://our.secret.host/xxx/yyy/login.html is quite different from https://hostname/somewhere.html If the authentication URL you are using is indeed pathless, you could try again with the path of the authentication page or servlet. cheers, Roland "Jean, Victor [IT]" <[EMAIL PROTECTED]> 21.04.2004 18:56 Please respond to "Commons HttpClient Project" To: "Commons HttpClient Project" <[EMAIL PROTECTED]> cc: Subject: RE: Cookie Visibility Problem from https to http Hi Mike, Thanks for your response. I printed out the list of cookies set in HttpState and found that all the cookie's secure flags are set to false. I also tried adding the same cookie name/value/domain/path with the false secure flag without any success. The http call does not seem to see the cookie. Can you think of any other reasons why the cookie is not visible ? -----Original Message----- From: Michael Becke [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 10:08 PM To: Commons HttpClient Project Subject: Re: Cookie Visibility Problem from https to http Hi Victor, My guess is that the "secure" flag is being set on this cookie. This flag means that the cookie should only be sent over secure(HTTPS) connections. You can get around this problem by manually adding a new cookie (HttpState.addCookie()) with the same values, but setting secure to false. The problem here is that the cookie is set to secure for a reason. My guess is that this cookie contains a session ID that if sniffed could be used to gain access to the server as the authenticated user. This may or may not be a concern in your situation. Mike On Apr 20, 2004, at 7:07 PM, Jean, Victor [IT] wrote: > Hello, > > I'm having an issue where a cookie set by posting to a https:// link > is not being recognized/picked up when i make a http:// call. > > I'm using HttpClient and PostMethod to send username/password to be > authenticated at the https link. Once authenticated, a cookie is set > by the server and then I make a http call using GetMethod to access > the link I need. However, the http call does not pickup the cookie > and I get redirected to authenticate again. If I make a https get > call after the cookie is set, the link works fine in detecting the > cookie, the problem is with http calls. Can someone help by telling > me how to make the cookie visible to http when it has been set by > https? > > Below is my sample code: > > //Setup the httpclient > HttpClient client = new HttpClient(); > client.setTimeout(TIMEOUT); > client.getState().setCookiePolicy(CookiePolicy.COMPATIBILITY); > > Protocol.registerProtocol("https", new Protocol("https", > new EasySSLProtocolSocketFactory(), 443)); > > String authenticationURL = "https://somelink";; > > //Post the username/password to the authentication URL > PostMethod postUserPasswod = new PostMethod(authenticationURL); > postUserPasswod.setFollowRedirects(true); > postUserPasswod.addParameter("USER",username); > postUserPasswod.addParameter("PASSWORD",password); > > > //Execute the Post, If Successful a authentication cookie will > be set > //Then continue executing the request > > client.executeMethod(postUserPasswod); > > > GetMethod requestURL = new GetMethod(" http://somelink/test.html";); > client.executeMethod(requestURL ); > ins = new BufferedInputStream(requestURL > .getResponseBodyAsStream()); > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
