On Apr 9, 2004, at 3:28 AM, Martin Alley wrote:
BTW Do you know if this policy in the browser, or if tomcat uses the refer header to implement it on the server?
This is probably a side effect of the way cookies work. A cookie can have a 'secure' flag set, which means it won't get sent over a normal http connection. There is nothing which prevents a non-secure cookie from being sent on a https connection. So if you establish a session via http, that same session will get used when you switch to https but possibly not vice versa.
Sandy McArthur
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
