>Is the request attribute "javax.servlet.request.ssl_session" >(in TC 3.3) >a 'standard' attribute that keeps the SSL session ID? Is there a spec >that defines it?
No, it's not on the specs and even if you find this information on some servers (Apache + mod_ssl for example), there is still some web server where it won't be available (IIS I think) and so couldn't be forwarded by mod_jk .... >It seems like an extremely important part of keeping the users from >bumping into each others TC session 'by accident' (or should I say by >cracking). Yes it's something you could use to verify that nobody is hacking your sessionid, but I feel that any serious webapp application must run under SSL .... -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>