RE: Session Tacking across hostnames?
Joel: In that case, I would argue that the design is mismatched to the actual usage of web applications. Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases -Original Message- From: Joel Rees [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 14, 2002 10:35 PM To: Tomcat Users List Cc: [EMAIL PROTECTED] Subject: Re: Session Tacking across hostnames? Neil Aggarwal wrote: For an application we are building, we are using a shared SSL certificate so the hostname has to be different for http and https. For example, public pages are loaded from http://www.futurescope.com/fscope/myPage.jsp and private pages are loaded from http://www.JAMMConsulting.com/fscope/privatePage.jsp Unforutnately, when we switch from http to https or vice versa, we lose track of the session. Is there a way to keep the session is this instance? I think that's by design. See the mailing list archives for some discussion of why. Joel Rees Alps Giken Kansai Systems Develoment Suita, Osaka -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Session Tacking across hostnames?
I think this would help : when you switch from HTTP to HTTPS, add JSESSIONID to that url by calling response.encodeURL(url) -Jan -Original Message- From: Neil Aggarwal [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 14, 2002 6:49 AM To: Tomcat-User Subject: Session Tacking across hostnames? Hello: I am using Apache 1.3 and Tomcat 4.0.3. For an application we are building, we are using a shared SSL certificate so the hostname has to be different for http and https. For example, public pages are loaded from http://www.futurescope.com/fscope/myPage.jsp and private pages are loaded from http://www.JAMMConsulting.com/fscope/privatePage.jsp Unforutnately, when we switch from http to https or vice versa, we lose track of the session. Is there a way to keep the session is this instance? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases --- Odchozí zpráva neobsahuje viry. Zkontrolováno antivirovým systémem AVG (http://www.grisoft.cz). Verze: 6.0.346 / Virová báze: 194 - datum vydání: 10.4. 2002 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Session Tacking across hostnames?
Jan: I am using repsonse.encodeURL, but it does not add the session id when the hostname is different. Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases -Original Message- From: Pekník Jan [mailto:[EMAIL PROTECTED]] Sent: Monday, April 15, 2002 8:53 AM To: 'Tomcat Users List' Subject: RE: Session Tacking across hostnames? I think this would help : when you switch from HTTP to HTTPS, add JSESSIONID to that url by calling response.encodeURL(url) -Jan -Original Message- From: Neil Aggarwal [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 14, 2002 6:49 AM To: Tomcat-User Subject: Session Tacking across hostnames? Hello: I am using Apache 1.3 and Tomcat 4.0.3. For an application we are building, we are using a shared SSL certificate so the hostname has to be different for http and https. For example, public pages are loaded from http://www.futurescope.com/fscope/myPage.jsp and private pages are loaded from http://www.JAMMConsulting.com/fscope/privatePage.jsp Unforutnately, when we switch from http to https or vice versa, we lose track of the session. Is there a way to keep the session is this instance? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases --- Odchozí zpráva neobsahuje viry. Zkontrolováno antivirovým systémem AVG (http://www.grisoft.cz). Verze: 6.0.346 / Virová báze: 194 - datum vydání: 10.4. 2002 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Session Tacking across hostnames?
How about this ... don't use encodeIURL just emulate it ... ie do the ;jsessionid= sessionID yourself . David Neil Aggarwal wrote: Jan: I am using repsonse.encodeURL, but it does not add the session id when the hostname is different. Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases -Original Message- From: Pekník Jan [mailto:[EMAIL PROTECTED]] Sent: Monday, April 15, 2002 8:53 AM To: 'Tomcat Users List' Subject: RE: Session Tacking across hostnames? I think this would help : when you switch from HTTP to HTTPS, add JSESSIONID to that url by calling response.encodeURL(url) -Jan -Original Message- From: Neil Aggarwal [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 14, 2002 6:49 AM To: Tomcat-User Subject: Session Tacking across hostnames? Hello: I am using Apache 1.3 and Tomcat 4.0.3. For an application we are building, we are using a shared SSL certificate so the hostname has to be different for http and https. For example, public pages are loaded from http://www.futurescope.com/fscope/myPage.jsp and private pages are loaded from http://www.JAMMConsulting.com/fscope/privatePage.jsp Unforutnately, when we switch from http to https or vice versa, we lose track of the session. Is there a way to keep the session is this instance? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases --- Odchozí zpráva neobsahuje viry. Zkontrolováno antivirovým systémem AVG (http://www.grisoft.cz). Verze: 6.0.346 / Virová báze: 194 - datum vydání: 10.4. 2002 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Session Tacking across hostnames?
David: I tried that too. It did not work. I still get a new session. Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases -Original Message- From: David Cassidy [mailto:[EMAIL PROTECTED]] Sent: Monday, April 15, 2002 10:10 AM To: Tomcat Users List Subject: Re: Session Tacking across hostnames? How about this ... don't use encodeIURL just emulate it ... ie do the ;jsessionid= sessionID yourself . David Neil Aggarwal wrote: Jan: I am using repsonse.encodeURL, but it does not add the session id when the hostname is different. Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases -Original Message- From: Pekník Jan [mailto:[EMAIL PROTECTED]] Sent: Monday, April 15, 2002 8:53 AM To: 'Tomcat Users List' Subject: RE: Session Tacking across hostnames? I think this would help : when you switch from HTTP to HTTPS, add JSESSIONID to that url by calling response.encodeURL(url) -Jan -Original Message- From: Neil Aggarwal [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 14, 2002 6:49 AM To: Tomcat-User Subject: Session Tacking across hostnames? Hello: I am using Apache 1.3 and Tomcat 4.0.3. For an application we are building, we are using a shared SSL certificate so the hostname has to be different for http and https. For example, public pages are loaded from http://www.futurescope.com/fscope/myPage.jsp and private pages are loaded from http://www.JAMMConsulting.com/fscope/privatePage.jsp Unforutnately, when we switch from http to https or vice versa, we lose track of the session. Is there a way to keep the session is this instance? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases --- Odchozí zpráva neobsahuje viry. Zkontrolováno antivirovým systémem AVG (http://www.grisoft.cz). Verze: 6.0.346 / Virová báze: 194 - datum vydání: 10.4. 2002 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Session Tacking across hostnames?
-Original Message- From: Neil Aggarwal [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 14, 2002 1:09 AM To: Tomcat Users List; Aditya Subject: RE: Session Tacking across hostnames? Adi: I tried this, but the problem is that the session id is not encoded into URLs that are not on the same hostname. Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases -Original Message- From: Aditya [mailto:[EMAIL PROTECTED]] Sent: Saturday, April 13, 2002 11:46 PM To: Tomcat Users List Subject: Re: Session Tacking across hostnames? Hi Neil, cookies are bound to the server name, so you can't use cookies (the default method with Tomcat) to track sessions. If you are not doing form-based realm authentication, you can use URL rewriting to track the session by setting: cookies=false for the contexts you are serving (you could also do it for the default context). I think this is what you are asking. Thanks, Adi On Sat, Apr 13, 2002 at 11:48:40PM -0500, Neil Aggarwal wrote: Hello: I am using Apache 1.3 and Tomcat 4.0.3. For an application we are building, we are using a shared SSL certificate so the hostname has to be different for http and https. For example, public pages are loaded from http://www.futurescope.com/fscope/myPage.jsp and private pages are loaded from http://www.JAMMConsulting.com/fscope/privatePage.jsp Unforutnately, when we switch from http to https or vice versa, we lose track of the session. Is there a way to keep the session is this instance? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Session Tacking across hostnames?
both of these two urls do actually speak to the same tomcat don't they ? Does TC get passed the headers of what server actually brought the request to it ? ajp12 vs 13 ? Have you tried virtual hosts in TC ? David... Neil Aggarwal wrote: David: I tried that too. It did not work. I still get a new session. Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases -Original Message- From: David Cassidy [mailto:[EMAIL PROTECTED]] Sent: Monday, April 15, 2002 10:10 AM To: Tomcat Users List Subject: Re: Session Tacking across hostnames? How about this ... don't use encodeIURL just emulate it ... ie do the ;jsessionid= sessionID yourself . David Neil Aggarwal wrote: Jan: I am using repsonse.encodeURL, but it does not add the session id when the hostname is different. Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases -Original Message- From: Pekník Jan [mailto:[EMAIL PROTECTED]] Sent: Monday, April 15, 2002 8:53 AM To: 'Tomcat Users List' Subject: RE: Session Tacking across hostnames? I think this would help : when you switch from HTTP to HTTPS, add JSESSIONID to that url by calling response.encodeURL(url) -Jan -Original Message- From: Neil Aggarwal [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 14, 2002 6:49 AM To: Tomcat-User Subject: Session Tacking across hostnames? Hello: I am using Apache 1.3 and Tomcat 4.0.3. For an application we are building, we are using a shared SSL certificate so the hostname has to be different for http and https. For example, public pages are loaded from http://www.futurescope.com/fscope/myPage.jsp and private pages are loaded from http://www.JAMMConsulting.com/fscope/privatePage.jsp Unforutnately, when we switch from http to https or vice versa, we lose track of the session. Is there a way to keep the session is this instance? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases --- Odchozí zpráva neobsahuje viry. Zkontrolováno antivirovým systémem AVG (http://www.grisoft.cz). Verze: 6.0.346 / Virová báze: 194 - datum vydání: 10.4. 2002 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Session Tacking across hostnames?
Neil: I think this has been discussed on this list. You can check the archives. It sounds like what you want is to be able to split the https session from http activity during browsing, so that a single user could, for instance, view non-sensitive information from an ordinary catalog page while filling in an order form, without having to open up Netscape and Opera to run two separate sessions. There may be a place where you could patch (your own copy of) Tomcat to allow the server to try to do that. I seem to recall something like that mentioned on this list recently. I also seem to recall browser issues mentioned in that context. I don't really have any experience in this, but I think it wise to urge due caution. There are a lot of ways to unwittingly open the https session to prying eyes by running http activity in parallel, especially if your http pages have any awareness of the https session in progress. I may be way off base, but I think it is those dangers that might influence a design decision to lose session information when switching back and forth. That way, the programmers have to _explicitly_ define and implement their own security/privacy policies. Joel Rees Alps Giken Kansai Systems Develoment Suita, Osaka Neil Aggarwal wrote: Joel: In that case, I would argue that the design is mismatched to the actual usage of web applications. Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases -Original Message- From: Joel Rees [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 14, 2002 10:35 PM To: Tomcat Users List Cc: [EMAIL PROTECTED] Subject: Re: Session Tacking across hostnames? Neil Aggarwal wrote: For an application we are building, we are using a shared SSL certificate so the hostname has to be different for http and https. For example, public pages are loaded from http://www.futurescope.com/fscope/myPage.jsp and private pages are loaded from http://www.JAMMConsulting.com/fscope/privatePage.jsp Unforutnately, when we switch from http to https or vice versa, we lose track of the session. Is there a way to keep the session is this instance? I think that's by design. See the mailing list archives for some discussion of why. Joel Rees Alps Giken Kansai Systems Develoment Suita, Osaka -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Session Tacking across hostnames?
Neil Aggarwal wrote: For an application we are building, we are using a shared SSL certificate so the hostname has to be different for http and https. For example, public pages are loaded from http://www.futurescope.com/fscope/myPage.jsp and private pages are loaded from http://www.JAMMConsulting.com/fscope/privatePage.jsp Unforutnately, when we switch from http to https or vice versa, we lose track of the session. Is there a way to keep the session is this instance? I think that's by design. See the mailing list archives for some discussion of why. Joel Rees Alps Giken Kansai Systems Develoment Suita, Osaka -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Session Tacking across hostnames?
Hello: I am using Apache 1.3 and Tomcat 4.0.3. For an application we are building, we are using a shared SSL certificate so the hostname has to be different for http and https. For example, public pages are loaded from http://www.futurescope.com/fscope/myPage.jsp and private pages are loaded from http://www.JAMMConsulting.com/fscope/privatePage.jsp Unforutnately, when we switch from http to https or vice versa, we lose track of the session. Is there a way to keep the session is this instance? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Session Tacking across hostnames?
Hi Neil, cookies are bound to the server name, so you can't use cookies (the default method with Tomcat) to track sessions. If you are not doing form-based realm authentication, you can use URL rewriting to track the session by setting: cookies=false for the contexts you are serving (you could also do it for the default context). I think this is what you are asking. Thanks, Adi On Sat, Apr 13, 2002 at 11:48:40PM -0500, Neil Aggarwal wrote: Hello: I am using Apache 1.3 and Tomcat 4.0.3. For an application we are building, we are using a shared SSL certificate so the hostname has to be different for http and https. For example, public pages are loaded from http://www.futurescope.com/fscope/myPage.jsp and private pages are loaded from http://www.JAMMConsulting.com/fscope/privatePage.jsp Unforutnately, when we switch from http to https or vice versa, we lose track of the session. Is there a way to keep the session is this instance? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Session Tacking across hostnames?
Adi: I tried this, but the problem is that the session id is not encoded into URLs that are not on the same hostname. Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases -Original Message- From: Aditya [mailto:[EMAIL PROTECTED]] Sent: Saturday, April 13, 2002 11:46 PM To: Tomcat Users List Subject: Re: Session Tacking across hostnames? Hi Neil, cookies are bound to the server name, so you can't use cookies (the default method with Tomcat) to track sessions. If you are not doing form-based realm authentication, you can use URL rewriting to track the session by setting: cookies=false for the contexts you are serving (you could also do it for the default context). I think this is what you are asking. Thanks, Adi On Sat, Apr 13, 2002 at 11:48:40PM -0500, Neil Aggarwal wrote: Hello: I am using Apache 1.3 and Tomcat 4.0.3. For an application we are building, we are using a shared SSL certificate so the hostname has to be different for http and https. For example, public pages are loaded from http://www.futurescope.com/fscope/myPage.jsp and private pages are loaded from http://www.JAMMConsulting.com/fscope/privatePage.jsp Unforutnately, when we switch from http to https or vice versa, we lose track of the session. Is there a way to keep the session is this instance? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]