All, There have been several discussions within the last 12 months on both tomcat-user and tomcat-dev concerning the inability to transfer sessions between HTTP and HTTPS access requests to the same application via Netscape. (See below for reference URLs)
I currently have this problem with Apache 1.3.19 and Tomcat 3.3, but I also had this problem using JServ 1.1.2. Interestingly, JServ had a configuration directive that you could use to solve this problem. Unfortunately,it appears that Tomcat does not. As several people have already pointed out, Netscape discriminates between URLs that differ only in port number so that http://a.b.c:8080/ and https://a.b.c:8443/ are different. Specifically, if Netscape receives a cookie from an application at http://a.b.c:8080/, it will not present that cookie during a subsequent secure access request to the same application at https://a.b.c:8443/. Netscape decides that the port numbers are different and therefore there's no guarantee that it's the same web server; therefore, it takes the conservative approach and decides not to forward the cookie. IE, will however forward the cookie received via HTTP back to the web server. What I discovered was that Netscape 4.78 (and maybe other versions) would bypass that logic if the session cookie contains a non-empty domain attribute. So, if the JServ session cookie contained a domain attribute of "a.b.c", then Netscape would sent the JServ session cookie back to any web server on a.b.c, regardless of the scheme used (http or https). JServ allowed you to specify the domain attribute value of the JServ session cookie with the "session.topleveldomain" directive in the zone's properties file: # Set the domain= header that gets sent with the cookie. This is # entirely optional # Default: null #session.topleveldomain=.foo.com session.topleveldomain=a.b.c Does anyone know of equivalent functionality in Tomcat 3.3? If we were able to explicitly set the domain attribute of the Tomcat session cookie, then this problem could be averted. Thanks, Orion Reference URLs for previous discussion on the topic: http://mikal.org/interests/java/tomcat/archive/view?mesg=31740 http://w4.metronet.com/~wjm/tomcat/2000/Dec/msg00626.html http://w4.metronet.com/~wjm/tomcat/2001/May/msg00894.html http://mikal.org/interests/java/tomcat/archive/view?mesg=49229 http://w4.metronet.com/~wjm/tomcat/2001/May/msg00912.html __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
