Andrew Oliver wrote:
> From my perspective you should have a secure login.
> if your login is passed from a non-secure area to a
> secure area there's not really that much purpose in
> providing the security in the first place.
No argument, but who said anything about logging in? Sessions can be
granted to anonymous clients.
> As for a "domain" type session that is another matter.
To answer another poster's question, if you call
HttpRequest.getCookies(), you SHOULD find a cookie containing the value
returned by HttpSession.getId(). There's nothing stopping the Servlet
container from maintaining some sort of translation between the session
cookie value and the session id... except COMMON SENSE.
Sessions are supposed to scope "within a single web application," but
there isn't a specification of how that's supposed to be enforced. For
example, these two URLs may invoke the same Servlet context, or they
might not:
https://foo.company.com/servlet/baz
http://bar.company.com/servlet/baz
Messing the the session cookie may not be guaranteed to be portable, but
there are other ambiguous issues even if you don't.
-- Charles
