"Martin Alley" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi, > > I have a small web app that appears to illustrate the following > behaviour. > Session started in http is carried over to https, but session started in > https is *not* carried over to http! > > Why?
This is for security reasons (so that it isn't possible to steal sensitive information that was entered in via SSL). > > > Web app has 3 pages > Index.jsp > Page2.jsp > Logout.jsp (does session invalidate & forward to index.jsp) > > 1) go to index.jsp as http (session1) > 2) follow https link to page2.jsp (session1) > 3) follow https link to logout.jsp > 4) now at https index.jsp with session2 (session2 created in https > world) > 5) follow https link to page2.jsp again (session2) > 6) follow *http* link to index.jsp (session 3!!!) > > I don't understand why session 3 is created. > > I read that old browsers don't maintain sessions between http and https; > I'm using Ie6 > > Can anyone explain this? > > Thanks > Martin > PS Code is below. > > > > > > ******************Index.jsp > <%@ page import="javax.servlet.*, javax.servlet.http.*, > org.apache.commons.logging.*"%> > > <html> > <body> > <% > HttpServletRequest req = ( HttpServletRequest ) request; > HttpSession mysession = req.getSession(false ); > > Log __log = LogFactory.getLog( this.getClass() ); > __log.info("index.jsp"); > > __log.info("SessionID="+(mysession==null?"null":mysession.getId())); > %> > <p> > SessionID=<%=(mysession==null?"null":mysession.getId())%><br/> > > </p> > > <p> > <a > href="<%=response.encodeURL("https://localhost:8443/sessiontest/page2.js > p")%>">page2</a> > <a > href="<%=response.encodeURL("https://localhost:8443/sessiontest/logout.j > sp")%>">logout</a><br/> > </p> > </body> > </html> > ********************page2.jsp > <%@ page import=" javax.servlet.*, javax.servlet.http.*, > org.apache.commons.logging.*"%> > <html> > <body> > <% > HttpServletRequest req = ( HttpServletRequest ) request; > HttpSession mysession = req.getSession(false ); > > Log __log = LogFactory.getLog( this.getClass() ); > __log.info("page2"); > > __log.info("SessionID="+(mysession==null?"null":mysession.getId())); > > %> > <p> > SessionID=<%=(mysession==null?"null":mysession.getId())%><br/> > > </p> > > <p> > <a > href="<%=response.encodeURL("http://localhost:8080/sessiontest/index.jsp > ")%>">index page</a><br/> > <a > href="<%=response.encodeURL("https://localhost:8443/sessiontest/logout.j > sp")%>">logout</a><br/> > </p> > > </body> > </html> > > > *************logout.jsp > <%@ page import=" javax.servlet.*, javax.servlet.http.*, > org.apache.commons.logging.*"%> > <% > HttpServletRequest req = ( HttpServletRequest ) request; > HttpSession mysession = req.getSession(false ); > Log __log = LogFactory.getLog( this.getClass() ); > __log.info("logout.jsp"); > __log.info("pre invalidate > SessionID="+(mysession==null?"null":mysession.getId())); > if (session!=null) > session.invalidate(); > > > __log.info("post > invalidateSessionID="+(mysession==null?"null":mysession.getId())); > > > RequestDispatcher rd =req.getRequestDispatcher("/index.jsp"); > rd.forward(req, (HttpServletResponse)response); > > %> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]