Tomcat does not permit a session to be maintained across a https to http transition for security reasons.
To force a session to expire when moving from http to https...
For https pages, at the top of your servlet/jsp, where request is the HttpServletRequest object. Insert...
if (!request.isSecure() ) // not needed if page is a secure resource
{code to redirect back to the same page under https}
// get the browser's cookies
Cookie[] cookies = request.getCookies();
if (cookies==null)
{code to tell user to enable cookies}
// check session
HttpSession session = request.getSession(false);
if (session!=null) {
// Find the JSESSIONID cookie
for (int i=0; i<cookies.length; i++) {
if ("JSESSIONID".equals(cookies[i].getName() ) ) {
if (!cookies[i].getsecure() ) {
// invalidate non-secure session
session().invalidate();
// see below Note 1.
break;
} // if cookie[]
} // if found cookie
} // for i
} // if session
session = request.getSession(true);
Note 1. At this spot in my servlet, I have code to redirect back to the sevlet under https. It shouldn't be required, but I may have suspected that session.invalidate() immediately followed by a request.getSession(true) didn't work.
Hope this helps. Bob Feretich
Subject: Moving from http to https doesnt expire session From:Fabian Pena <[EMAIL PROTECTED]> Date:Mon, 02 May 2005 09:54:29 -0300 To:[email protected]
hi all
I have a simple question, at least I think that. I am developing an applicatin that contains confidential information, and I'm having a simple problem. when a user move from http to https de session doesnt expire, the jsessionid is the same. I want generate a new session and of course change de jsessionid in the first https request.
Any one can help me.
Thanks in advance
Fabian
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
