Hello,
I believe all but your third example is correct. I am pretty sure that a
cookie set for www.domaina.com will be sent to that same domain if it's in
http or https.
However, if the cookie is marked as secure, it will only be sent under
https.
This is what has caused the problem. I still don't know why the Tomcat
team decided to take out the configurable option of forcing session
cookies that were created under https to be secure or not. (I understand
that it makes a good default, from a security point of view. But for
those that are aware of the security implications, we no longer have the
option to turn it off.)
This has caused a problem for many people, and has come up in numerous
threads since this change was made in the Tomcat 4.x line. (Or perhaps,
the configurable option was added to the 3.x line, and never added to the
4.x and 5.x lines?)
http://www.junlu.com/msg/49789.html
http://www.mail-archive.com/[EMAIL PROTECTED]/msg83724.html
http://archives.real-time.com/pipermail/tomcat-devel/2001-October/024544.html
Thanks,
-Raiden Johnson
On Sat, 16 Oct 2004, Steffen Heil wrote:
Hi
Actually, I'm a big advocate against staying in HTTPS, because of the
overhead. However, this is a problem with Tomcat, because in the 4.x and
5.x lines it was decided by someone that if a session started in HTTPS it is
only valid in HTTPS (basically, the session cookie is turned into a secure
cookie only).
I do not understand this.
I always thought cookies where only valid for ONE domain and ONE Protocol,
so the following would be pairwise different and thus cannot share a cookie:
http://www.domaina.com http://www.domainb.com
http://www.domaina.com http://domainb.com
http://www.domaina.com https://www.domaina.com
Is my view wrong? Is there a way to reattach a session to a request, if
the old sessionID is kown?
Regards,
Steffen
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
