Where do you have the private "carts" attribute?
In a JSP page?
In a bean?
Try to put it in the application context.
This example is for a JSP page, where you have an implicit "application"
object of type javax.servlet.ServletContext.
Hashtable carts = (Hashtable)application.getAttribute("carts");
if(carts == null) // If hashtable has not been initialized
{
carts = new Hashtable();
application.setAttribute("carts", carts);
}
// put/get code here
> -----Original Message-----
> From: A mailing list about Java Server Pages specification and reference
> [mailto:[EMAIL PROTECTED]]On Behalf Of Alireza Nahavandi
> Sent: Monday, December 09, 2002 9:09 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Security
>
>
> Hi Guys,
>
> Using HASH table seems working. Thank you very much for your
> answers. There
> is another problem here :
> Suppose that I have a shopping cart as a session object :
>
> <jsp:usebean id="cart" scope="session" class="shop.Cart" />
>
> This line is on top of related jsp files.
>
> While I am working in a non-secure server everything is fine. I can add to
> this session and get it in other JSPs.
> But in secure server when I populate the object with HASH table content.
> Other JSPs can not see the content. This is how
> I do this. Am I missing anything?
>
> Thank you in advance.
>
> ....
> private Hashtable carts = new Hashtable();
> ....
>
> // adding shopping cart to Hash table
> public void addCartToHashTable(Cart cart, String key) {
>
> this.carts.put(key, cart);
> }
>
> .....
>
> // retrieving shopping cart from Hash table
> public Cart rtrvCart(Cart cart, String key) {
>
> cart = (Cart)this.carts.get(key);
> return cart;
> }
>
> -----Original Message-----
> From: A mailing list about Java Server Pages specification and reference
> [mailto:[EMAIL PROTECTED]]On Behalf Of Mattias Jiderhamn
> Sent: Thursday, December 05, 2002 10:27 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Secure server
>
>
> Read the docs of your container about sessions. Resin can store session
> information on disk and in a database, maybe that could be a
> workaround for
> transferring session from HTTP -> HTTS?
>
> Another idea (apart from Adrian's) would be to put all the data
> you need to
> transfer in some structure (hashtable) in the application scope,
> and include
> a unique key in the secure shopping form, so the new HTTPS session will
> retrieve the old data from the application scope. You have to be very
> carefull about security though.
>
> > -----Original Message-----
> > From: A mailing list about Java Server Pages specification and reference
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Alireza Nahavandi
> > Sent: Thursday, December 05, 2002 2:47 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Secure server
> >
> >
> > Hi guys,
> >
> > Thank you for your responses. I tested URL rewriting. It did
> not work. Any
> > other solution?
> >
> > Thank you again.
> >
> > -----Original Message-----
> > From: A mailing list about Java Server Pages specification and reference
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Adrian Janssen
> > Sent: Thursday, December 05, 2002 2:59 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Secure server
> >
> >
> > Yeah good idea - would certainly solve the browser side issue.
> Does tomcat
> > (or any aother servlet container) preserve sessions accross
> http / https?
> >
> > > -----Original Message-----
> > > From: Mattias Jiderhamn [SMTP:[EMAIL PROTECTED]]
> > > Sent: 05 December 2002 09:54
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: Secure server
> > >
> > > Using URL rewriting when posting from the http session to the https
> > > session
> > > should also work ... right?
> > >
> > > > -----Original Message-----
> > > > From: A mailing list about Java Server Pages specification
> > and reference
> > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Adrian Janssen
> > > > Sent: Thursday, December 05, 2002 7:48 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: Re: Secure server
> > > >
> > > >
> > > > Sessions are not shared accross http / https boundries. This is
> > > > an artifact
> > > > of the browser. It will deliberately not recognise http and
> > https pages
> > > as
> > > > being in the same "context" and will generate a new session
> > id cookie as
> > > > soon as the transition from http to https is made. This is
> > for security
> > > > reasons as whatever was done in http is vulnerable and
> > therefore cannot
> > > be
> > > > trusted by an https session.
> > > >
> > > > Either start your https session earlier - like as soon as the user
> > > starts
> > > > filling the shopping cart - it' not that expensive, or
> explicity post
> > > > everything to the first page in the https seesion.
> > > > > -----Original Message-----
> > > > > From: Alireza Nahavandi [SMTP:[EMAIL PROTECTED]]
> > > > > Sent: 04 December 2002 06:02
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: Secure server
> > > > >
> > > > > Hi everybody,
> > > > > I think there was a discussion about this problem before....
> > > > > I need some help with secure server.
> > > > > I have a session object for a shopping cart :
> > > > > <jsp:usebean id="cart" scope="session" class="shop.Cart" />
> > > > > For checking out I need to call programs from a path like :
> > > > > https://secure.shop.com/chk1.jsp
> > > > > In chk1.jsp still I have the definition of cart like before :
> > > > > <jsp:usebean id="cart" scope="session" class="shop.Cart" />
> > > > > But the session is empty.
> > > > > Has anybody faced this problem before. Any solution?
> > > > > Thank you in advance.
>
> ==================================================================
> =========
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> JSP-INTEREST".
> For digest: mailto [EMAIL PROTECTED] with body: "set
> JSP-INTEREST DIGEST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
> http://archives.java.sun.com/jsp-interest.html
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.jsp
> http://www.jguru.com/faq/index.jsp
> http://www.jspinsider.com
>
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://archives.java.sun.com/jsp-interest.html
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.jsp
http://www.jguru.com/faq/index.jsp
http://www.jspinsider.com
