Hi,
I have a small web app that appears to illustrate the following
behaviour.
Session started in http is carried over to https, but session started in
https is *not* carried over to http!
Why?
Web app has 3 pages
Index.jsp
Page2.jsp
Logout.jsp (does session invalidate & forward to index.jsp)
1) go to index.jsp as http (session1)
2) follow https link to page2.jsp (session1)
3) follow https link to logout.jsp
4) now at https index.jsp with session2 (session2 created in https
world)
5) follow https link to page2.jsp again (session2)
6) follow *http* link to index.jsp (session 3!!!)
I don't understand why session 3 is created.
I read that old browsers don't maintain sessions between http and https;
I'm using Ie6
Can anyone explain this?
Thanks
Martin
PS Code is below.
******************Index.jsp
<%@ page import="javax.servlet.*, javax.servlet.http.*,
org.apache.commons.logging.*"%>
<html>
<body>
<%
HttpServletRequest req = ( HttpServletRequest ) request;
HttpSession mysession = req.getSession(false );
Log __log = LogFactory.getLog( this.getClass() );
__log.info("index.jsp");
__log.info("SessionID="+(mysession==null?"null":mysession.getId()));
%>
<p>
SessionID=<%=(mysession==null?"null":mysession.getId())%><br/>
</p>
<p>
<a
href="<%=response.encodeURL("https://localhost:8443/sessiontest/page2.js
p")%>">page2</a>
<a
href="<%=response.encodeURL("https://localhost:8443/sessiontest/logout.j
sp")%>">logout</a><br/>
</p>
</body>
</html>
********************page2.jsp
<%@ page import=" javax.servlet.*, javax.servlet.http.*,
org.apache.commons.logging.*"%>
<html>
<body>
<%
HttpServletRequest req = ( HttpServletRequest ) request;
HttpSession mysession = req.getSession(false );
Log __log = LogFactory.getLog( this.getClass() );
__log.info("page2");
__log.info("SessionID="+(mysession==null?"null":mysession.getId()));
%>
<p>
SessionID=<%=(mysession==null?"null":mysession.getId())%><br/>
</p>
<p>
<a
href="<%=response.encodeURL("http://localhost:8080/sessiontest/index.jsp
")%>">index page</a><br/>
<a
href="<%=response.encodeURL("https://localhost:8443/sessiontest/logout.j
sp")%>">logout</a><br/>
</p>
</body>
</html>
*************logout.jsp
<%@ page import=" javax.servlet.*, javax.servlet.http.*,
org.apache.commons.logging.*"%>
<%
HttpServletRequest req = ( HttpServletRequest ) request;
HttpSession mysession = req.getSession(false );
Log __log = LogFactory.getLog( this.getClass() );
__log.info("logout.jsp");
__log.info("pre invalidate
SessionID="+(mysession==null?"null":mysession.getId()));
if (session!=null)
session.invalidate();
__log.info("post
invalidateSessionID="+(mysession==null?"null":mysession.getId()));
RequestDispatcher rd =req.getRequestDispatcher("/index.jsp");
rd.forward(req, (HttpServletResponse)response);
%>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
