RE: how to maintain session between HTTP and HTTPS?
--- cga [EMAIL PROTECTED] wrote: I find it strange that it doesn't maintains session accross http and https. ¿Are you redirecting? Netscape (4.7, at least) does not maintain session between http and https. IE does. This happens with or without redirect. What I ended up doing is to ALWAYS encode session id into the urls when crossing the http/https boundary, so not depending on the encodeURL or encodeRedirectURL of response object. Gaston - Original Message - From: Elijah Roberts [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, December 09, 2000 4:11 AM Subject: Re: how to maintain session between HTTP and HTTPS? On Saturday December 09, 2000 Weigen Liang wrote: I'm trying to find a way to maintain session between HTTP and HTTPS: some pages (html/jsp), such as login and credit card info, need to transported under HTTPS, but the rest does not need to. I prefer not to spending the extra cpu circles for unnecessary encryption since the servers may be under heavy cpu utilization due to generating images for returning to user. Any suggestions? Is a normal JSP session not maintained across HTTP and HTTPS. I have never tried it out, but I don't see any reason why it shouldn't work. Have you tried it and found it to not work? Your email is a little vague. Elijah Roberts [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/
RE: how to maintain session between HTTP and HTTPS?
Title: RE: how to maintain session between HTTP and HTTPS? Are you sharing sessions over multiple Tomcat instances/boxes? (ie: does HTTP and HTTPS both point to same instance of Tomcat?) -Original Message- From: Weigen Liang [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 14, 2000 9:21 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: how to maintain session between HTTP and HTTPS? --- cga [EMAIL PROTECTED] wrote: I find it strange that it doesn't maintains session accross http and https. ¿Are you redirecting? Netscape (4.7, at least) does not maintain session between http and https. IE does. This happens with or without redirect. What I ended up doing is to ALWAYS encode session id into the urls when crossing the http/https boundary, so not depending on the encodeURL or encodeRedirectURL of response object. Gaston - Original Message - From: Elijah Roberts [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, December 09, 2000 4:11 AM Subject: Re: how to maintain session between HTTP and HTTPS? On Saturday December 09, 2000 Weigen Liang wrote: I'm trying to find a way to maintain session between HTTP and HTTPS: some pages (html/jsp), such as login and credit card info, need to transported under HTTPS, but the rest does not need to. I prefer not to spending the extra cpu circles for unnecessary encryption since the servers may be under heavy cpu utilization due to generating images for returning to user. Any suggestions? Is a normal JSP session not maintained across HTTP and HTTPS. I have never tried it out, but I don't see any reason why it shouldn't work. Have you tried it and found it to not work? Your email is a little vague. Elijah Roberts [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ Michael R. Kuz Developer Service Intelligence (403) 261-5000 ext. 363 [EMAIL PROTECTED]
Re: how to maintain session between HTTP and HTTPS?
In a load balanced environment, this is tricky with people behind a IP randomizing proxy (like AOL). If you use all SSL, the load balancer can track the SSL session ID across different IPs. If you use all non-SSL, you can track with a cookie. You can use IP based sticky if the IP stays the same. Its tricky if you have to mix more than one of those. What we're doing is using IP sticky with our load balancers, with mod_jk sending all new sessions to the local server, and redistributing them to the proper server if they aren't local. I might write up a document describing how we run Tomcat in this environment if anybody is interested. Paul
how to maintain session between HTTP and HTTPS?
I'm trying to find a way to maintain session between HTTP and HTTPS: some pages (html/jsp), such as login and credit card info, need to transported under HTTPS, but the rest does not need to. I prefer not to spending the extra cpu circles for unnecessary encryption since the servers may be under heavy cpu utilization due to generating images for returning to user. Any suggestions? Thanks. Weigen __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/
RE: how to maintain session between HTTP and HTTPS?
I find it strange that it doesn't maintains session accross http and https. ¿Are you redirecting? Anyway, a not very good way of solving the problem is putting the session in a hashtable and when you have your user back you retrieve the session from there (and take it out). Use a parameter to identify the session (or a cookie). That is how I solved a similar problem when I had to redirect to another server and get the answer as a http call. Bye, Gaston - Original Message - From: Elijah Roberts [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, December 09, 2000 4:11 AM Subject: Re: how to maintain session between HTTP and HTTPS? On Saturday December 09, 2000 Weigen Liang wrote: I'm trying to find a way to maintain session between HTTP and HTTPS: some pages (html/jsp), such as login and credit card info, need to transported under HTTPS, but the rest does not need to. I prefer not to spending the extra cpu circles for unnecessary encryption since the servers may be under heavy cpu utilization due to generating images for returning to user. Any suggestions? Is a normal JSP session not maintained across HTTP and HTTPS. I have never tried it out, but I don't see any reason why it shouldn't work. Have you tried it and found it to not work? Your email is a little vague. Elijah Roberts [EMAIL PROTECTED]
