I have a web site that uses SSL on the main page for logging in (to encrypt the password) but uses standard HTTP on most pages thereafter. I set a value in the session that tells me the user is logged in and that value is checked on every page. If the value is not present, the application redirects the user to the login page. Oddly, the user has had to log in twice in this scenario. I have identified the problem, which I will describe below, but have not found a solution. Hopefully there is a configuration setting somewhere that will fix it.
The Problem =========== The login page creates a session and sets a cookie as follows: Set-Cookie: JSESSIONID=A26A878059077E1ABEE058A62541957C; Path=/; Secure The "Secure" on the end tells the web browser NOT to send the cookie back to the server unless it is an SSL connection. When the user is redirected to the next non-SSL page, no cookie is sent back to the server, a new session is created, and a new cookie is set as follows: Set-Cookie: JSESSIONID=082E4CACA42D045D7E1F1F55CB073C48; Path=/ My application, assuming the user is not logged in, redirects the user back to the main page. There is an existing session, so it is used for the login variable. Since the cookie is no longer labeled "Secure" it is valid for all pages. Possible Solutions ================== This is where I need some help. If it is simply a configuration setting, I have missed it. Otherwise I need to make sure a non-secure cookie exists before displaying the login page. This could mean redirecting to a non-SSL page first if the session is new or somehow grabbing the Cookie object before it is sent to the browser and calling setSecure(false), neither of which seem like an elegant solution. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
