Martin Grüneberg typed the following on 01:42 AM 1/17/2001 +0100
>Because cookies are disabled in many browsers, I prefere
>sessionmangment with urlrewriting. (server.xml --> noCookies)
>On normal http requests the sessionmanagment make a good job.
>But changing to a safe https SSL connection for sensitive data the session
>is lost and a new session is created. Every time I reload this (https) page
>a new session is returned!??
Tomcat won't add the session ID to a URL if the port numbers don't match,
which they won't when you're moving from HTTP to HTTPS. If you reload
the same URL, which doesn't have a session ID in it, and don't accept
cookies, you aren't sending a session ID to Tomcat, so it has to generate
a new session every time.
>Is there for example a way to manualy pass the sessionID and get the user
>session like this:
>session.getSession("sessionID"); ????
Nope. The only thing I can think of, other than submitting a patch so Tomcat
doesn't use the port number to determine whether a URL should be rewritten
(I'm not sure whether such a patch would be accepted), is to to manually
put the ID into the URL yourself.
String myURL = "https://www.myserver.com/mypage.jsp;jsessionid=" + session.getId() +
";&myparam=foo";
This isn't very cool, though.
I understand wanting your apps to work without cookies, especially in Germany,
but allowing users who *do* have cookies enabled to use cookies won't affect
users who don't have cookies: Tomcat will use whichever one works. And cookies
have some advantages, like working even if the user goes to another site and
returns without clicking a rewritten link.
Sorry I don't have a better answer for you.
Kief
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
