I am not sure which RFC you are referring to. It appears to me that the Session semantic Tomcat should implement has nothing (directly) to do with cookies, etc.. Tomcat implements sessions because the Java Servlet specification requires it to do so. Shouldn't the question therefore be what session semantic/scope/rules does the Java Servlet Spec impose and if Tomcat's implementation is conformant to this specification?
I don't have the Servlet 2.3 specification in front of me but scanning the 2.2 specification there is no mention of the session scope with respect to https vs http. It only states that a session (it's attributes) is scoped to a servlet context. One conclusion from this could be that if a servlet in the same servlet context is invoked with the same "JSESSIONID" it belongs to the same session independent if it was invoked through a http or https request. Obviously this is the approach taken by Tomcat 3.2.x. It would be interesting to learn why the Tomcat designers have chosen to change this in Tomcat 4. Manuel -----Original Message----- From: Joel Rees [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 27 March 2002 15:12 To: Tomcat Users List Subject: sessions, security, and the RFCs I've been watching the conversation on https, http, session switching, and so forth. If I followed this right, it sounds as if Tomcat 4, in dropping session information on the switch, is being RFC compliant. ... -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
