Dave, <snip> >The system described above relies on correct behavior of cookies on the Mac >in IE, and it works for us. I don't know if any behavior on the Tomcat side >has changed since 4.0.1, but I would tend to doubt it.
That's nice to hear :-| >Why are you using a secure cookie for the session cookie? Do you need to? 1. We tested this exclusively over HTTPS. For HTTP things work OK: 2. Actually, we do absolutely nothing but "request.getSession()" which triggers the session-mechanism according to my fellow developer. I.e. we don't handle cookies ourselves, we rely on Tomcat's handling which has worked fine until we started to mess with Mac and IE 5. >If so, you can't expect the session to remain intact across HTTP and HTTPS >requests. Any browser that DOES send a secure cookie over a straight HTTP >request is dangerously out of spec. Note, we don't switch between HTTP and HTTPS, but you are right in your comment. cheers, Anders -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
