Bill, Thanks for your reply!
However, I have discovered an interesting twist to my scenario that doesn't make sense to me given your explanation below. FYI - I am currently running Tomcat 4.1.x and Apache 2 on a RHL platform. Now, for the interesting/puzzling part: if I initially connect via http to www.hostname.com and then connect via https to secure.hostname.com, I can subsequently connect via http to secure.hostname.com without losing the session created when connecting via https. Apparently, I only lose the session information when I switch from https to http AND go to the aliased hostname. Any further thoughts? Thanks, Scott Stewart [Manager, Software Development] [EMAIL PROTECTED] work: 407-515-8656 cell : 407-435-1036 fax : 407-515-9001 ClearSky Mobile Media, Inc. 56 E. Pine St. Suite 200 Orlando, FL 32801 USA -----Original Message----- From: Bill Barker [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 11:44 PM To: [EMAIL PROTECTED] Subject: Re: SingleSignOn on within an aliased Host This should really be in the FAQ (if it isn't already). For security reasons, if you establish a session under https on TC 4.x and higher, the session is not accessible if you later fall back to http. TC 3.3.1 doesn't have this restriction, but TC 3.3.2 release will (with an option to turn it off for backwards compatiblity only). "Scott Stewart" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Is anyone aware of any known issues regarding the use of SingleSignOn within > an aliased host? > > I currently have a single host defined in server.xml (say, "www.hostname.com > <www.hostname.com> ") with one alias defined for that host (say, > "secure.hostname.com"). I am using SSL & container-managed security > (form > based) to segregate account signup, account management and other secured > portions of the site from the generally accessible areas. The problem I am > having is that once I authententicate myself via https to > secure.hostname.com, if I surf over to the unsecured site via an http > call to www.hostname.com <www.hostname.com> all knowledge of myself > has disappeared (i.e. calls to getUserPrincipal() return null). > > Does this make sense? > > Any thoughts??? > > Thanks in advance to any help that you may be able to provide, > > Scott > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
