Hi > Actually, I'm a big advocate against staying in HTTPS, because of the overhead. However, this is a problem with Tomcat, because in the 4.x and 5.x lines it was decided by someone that if a session started in HTTPS it is only valid in HTTPS (basically, the session cookie is turned into a secure cookie only).
I do not understand this. I always thought cookies where only valid for ONE domain and ONE Protocol, so the following would be pairwise different and thus cannot share a cookie: http://www.domaina.com <> http://www.domainb.com http://www.domaina.com <> http://domainb.com http://www.domaina.com <> https://www.domaina.com Is my view wrong? Is there a way to "reattach" a session to a request, if the old sessionID is kown? Regards, Steffen
smime.p7s
Description: S/MIME cryptographic signature
