Hello Peter,
Actually, another user experienced the same thing this week, so we already looking
into it.
I'll forward the reply that user received:
--- Forwarded -------
Hi, we are still tracking down what you're experiencing but so far it seems
like a JSSE issue. It seems to have a problem with maintaining (SSL)
sessions to IE (IE is the only platform we could reproduce it on, have you
experienced it in NS or any other browser?). We're about to ask the JSSE
team if it's a known issue. In the meantime you can revert to ID (ie cookie
or rewrite) based session tracking (instead of SSL-session) by ading
shared="true" to your <web-app ../> node in web-site.xml. ie:
<web-app application="myapp" name="myapp-web" shared="true" />.
This has an impact on security of course so it depends on which level of
security you need to maintain. We hope to get this resolved fairly quickly,
either by some clarification by the Sun JSSE team or by trying out other
JSSE implementations.
---
Since then we have been talking to the JSSE team to clear this up.
We will get back when we have a conclusive answer on the matter.
Regards,
Karl Avedal
Peter wrote:
> Hi there,
>
> I am developing an e-commerce application. Some of the storefront pages
> such as
> checkout, order status etc. must be secured. So I configured two
> web-sites in
> config.xml: default-web-site(localhost:80) and
> secure-web-site(localhost:439).
> Now I must jump from shoppingcart.jsp ( unsecure page) to checkout.jsp
> ( secure page ). The problem is: the session ( and all the data ) is
> lost ! I tried to encode
> session id in the url, but i guess the session isn't shared by different
> web-sites...
> am I wrong ?
>
> Any idea or solution ?
> Peter
