URL-rewriting sessions are not 'transferable' as per the Servlet 2.3 Spec. Cookie session in Tomcat 3.3.2 and higher follow the rules:
a) If you create the session with a non-SSL request, then it will be transfered back and forth between SSL and non-SSL (unless, of course, your browser chooses to not send the cookie :).
b) If you create the session with a SSL request, then it won't be available for non-SSL requests.
Thanks for that information - it fits in with my experience.
I've just done a search for 'SSL' on the 2.3 specifications, and I did not find anything that corresponds to these two rules (though I might have missed it).
Am I to assume that these two rules are container-specific?
Point (b) is interesting - I hadn't realised that.
I doubt very much that this implementation is container-specific to tomcat. Did you try searching on 'user-data-constraint' or 'confidential'?
Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
