Hi, I've got a site up and running which uses Tomcat via Apache2 and mod_jk2 (only - no direct access to Tomcat).
I manage logins using standard session management via cookies. Some of the site is accessible by http, other bits are accessible via https. This is managed by mod_rewrite in Apache. I've noticed that if I make the login page an http page, the session cookie is sent to the server in both http and https requests, so the person appears logged in. However, if the login page is accessed via https, the session cookie is only sent to https requests, not http requests, so the user appears not logged in on the non-secure pages. I understand that this could usually be desirable behaviour - it keeps a cookie given out over https secure. However this is not the behaviour I want. I want the login page to be https to protect the password, but I want the session cookie to be passed in http requests too. Is there a way to make a cookie passed over https accessible to http requests? Is Tomcat doing this or Apache? Is this clear? Any suggestions or pointers to further reading would be very much appreciated. Best regards, Andy --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
