Hello, I believe all but your third example is correct. I am pretty sure that a cookie set for www.domaina.com will be sent to that same domain if it's in http or https.
However, if the cookie is marked as secure, it will only be sent under https. This is what has caused the problem. I still don't know why the Tomcat team decided to take out the configurable option of forcing session cookies that were created under https to be secure or not. (I understand that it makes a good default, from a security point of view. But for those that are aware of the security implications, we no longer have the option to turn it off.) This has caused a problem for many people, and has come up in numerous threads since this change was made in the Tomcat 4.x line. (Or perhaps, the configurable option was added to the 3.x line, and never added to the 4.x and 5.x lines?) http://www.junlu.com/msg/49789.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg83724.html http://archives.real-time.com/pipermail/tomcat-devel/2001-October/024544.html Thanks, -Raiden Johnson On Sat, 16 Oct 2004, Steffen Heil wrote: > Hi > > > Actually, I'm a big advocate against staying in HTTPS, because of the > overhead. However, this is a problem with Tomcat, because in the 4.x and > 5.x lines it was decided by someone that if a session started in HTTPS it is > only valid in HTTPS (basically, the session cookie is turned into a secure > cookie only). > > I do not understand this. > I always thought cookies where only valid for ONE domain and ONE Protocol, > so the following would be pairwise different and thus cannot share a cookie: > > http://www.domaina.com <> http://www.domainb.com > http://www.domaina.com <> http://domainb.com > http://www.domaina.com <> https://www.domaina.com > > Is my view wrong? Is there a way to "reattach" a session to a request, if > the old sessionID is kown? > > Regards, > Steffen > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
