This is implemented within tomcat. Mark
> -----Original Message----- > From: Martin Alley [mailto:[EMAIL PROTECTED] > Sent: Friday, April 09, 2004 8:28 AM > To: 'Tomcat Users List' > Subject: RE: Session behaviour across http/https boundary > > Hi Bill, > > Thanks for clarifying. > > BTW Do you know if this policy in the browser, or if tomcat uses the > refer header to implement it on the server? > > Thanks > Martin > > -----Original Message----- > From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker > Sent: 09 April 2004 06:22 > To: [EMAIL PROTECTED] > Subject: Re: Session behaviour across http/https boundary > > > "Martin Alley" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > Hi, > > > > I have a small web app that appears to illustrate the following > > behaviour. > > Session started in http is carried over to https, but > session started > in > > https is *not* carried over to http! > > > > Why? > > This is for security reasons (so that it isn't possible to steal > sensitive > information that was entered in via SSL). > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]