The discussion on this thread seems to focus on the question if maintaining sessions across the http / https change is secure or not.
While I do agree that it is not secure to do so and I also acknowledge that it is common practise to do so (eg. Hotmail) the question remains what is the correct interpretation (and therefore implementation) of the session semantics as stated in the Servlet specification. I understand Tomcat 3.3 is the reference implementation for the 2.2 Servlet specification while Tomcat 4 is the reference implementation for the 2.3 Servlet specification. I don't think the section on Sessions has changed between the two specifications. Why does Tomcat 4 implement a different session behaviour than Tomcat 3.3 if they are both based on essentially the same specification? Manuel -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
