I have a jsp page that attempts to include the output from another jsp using the
io:http request.
Since the browser is allowing cookies, the sessionid is not passed in to the
included jsp so the included jsp generates a new sessionid.
The http io tag should check whether or not the "included" request is part of
the same webapp or not, and manually encode the session id.
This looks like a bug to me.
Consider the following jsp added to the Tomcat 4.0.1 examples context. The
output clearly shows that a new session is being created by the included page.
<html>
<body>
<%
HttpSession theOriginalSession = request.getSession(false);
String theOriginalSessionID = theOriginalSession.getId ();
out.println ("Original SessionID: " + theOriginalSessionID);
out.println("<br>");
%>
<%@ taglib uri="http://jakarta.apache.org/taglibs/io-1.0"; prefix="io" %>
<io:http url= "/servlet/SessionExample" action="GET" />
</body>
</html>
The response is:
Original SessionID: 0598E800F530D255E162F5E5D20801A8
</examples/servlets/sessions.html>
</examples/servlets/sessions.html> </examples/servlets/index.html>
</examples/servlets/index.html>
Sessions Example
Session ID: F7750108F0C0A1B3637819F109D95419
Created: Tue Oct 23 20:22:56 EDT 2001
Last Accessed: Tue Oct 23 20:22:56 EDT 2001
Unknown data type
Unknown data type
