Hi, I have a small web app that appears to illustrate the following behaviour. Session started in http is carried over to https, but session started in https is *not* carried over to http!
Why? Web app has 3 pages Index.jsp Page2.jsp Logout.jsp (does session invalidate & forward to index.jsp) 1) go to index.jsp as http (session1) 2) follow https link to page2.jsp (session1) 3) follow https link to logout.jsp 4) now at https index.jsp with session2 (session2 created in https world) 5) follow https link to page2.jsp again (session2) 6) follow *http* link to index.jsp (session 3!!!) I don't understand why session 3 is created. I read that old browsers don't maintain sessions between http and https; I'm using Ie6 Can anyone explain this? Thanks Martin PS Code is below. ******************Index.jsp <%@ page import="javax.servlet.*, javax.servlet.http.*, org.apache.commons.logging.*"%> <html> <body> <% HttpServletRequest req = ( HttpServletRequest ) request; HttpSession mysession = req.getSession(false ); Log __log = LogFactory.getLog( this.getClass() ); __log.info("index.jsp"); __log.info("SessionID="+(mysession==null?"null":mysession.getId())); %> <p> SessionID=<%=(mysession==null?"null":mysession.getId())%><br/> </p> <p> <a href="<%=response.encodeURL("https://localhost:8443/sessiontest/page2.js p")%>">page2</a> <a href="<%=response.encodeURL("https://localhost:8443/sessiontest/logout.j sp")%>">logout</a><br/> </p> </body> </html> ********************page2.jsp <%@ page import=" javax.servlet.*, javax.servlet.http.*, org.apache.commons.logging.*"%> <html> <body> <% HttpServletRequest req = ( HttpServletRequest ) request; HttpSession mysession = req.getSession(false ); Log __log = LogFactory.getLog( this.getClass() ); __log.info("page2"); __log.info("SessionID="+(mysession==null?"null":mysession.getId())); %> <p> SessionID=<%=(mysession==null?"null":mysession.getId())%><br/> </p> <p> <a href="<%=response.encodeURL("http://localhost:8080/sessiontest/index.jsp ")%>">index page</a><br/> <a href="<%=response.encodeURL("https://localhost:8443/sessiontest/logout.j sp")%>">logout</a><br/> </p> </body> </html> *************logout.jsp <%@ page import=" javax.servlet.*, javax.servlet.http.*, org.apache.commons.logging.*"%> <% HttpServletRequest req = ( HttpServletRequest ) request; HttpSession mysession = req.getSession(false ); Log __log = LogFactory.getLog( this.getClass() ); __log.info("logout.jsp"); __log.info("pre invalidate SessionID="+(mysession==null?"null":mysession.getId())); if (session!=null) session.invalidate(); __log.info("post invalidateSessionID="+(mysession==null?"null":mysession.getId())); RequestDispatcher rd =req.getRequestDispatcher("/index.jsp"); rd.forward(req, (HttpServletResponse)response); %> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]