Filip is correct. In more detail, what is happening is that you establish a session with your HTTPS login page. When you drop out of HTTPS, you establish a new session under HTTP. Now when you re-login, your login page uses the HTTP-established session, so it is still available to your HTTP pages.
The only way to "fix" this is to download the source distro, and modify the Tomcat code yourself and re-compile. "Filip Hanik" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > when a session is established in HTTPS, the session will not work for HTTP, > it is a security thing. > > If the session is established in HTTP, it will work for both HTTPS and HTTP > I believe > > Filip > > > -----Original Message----- > > From: Dan Lipofsky [mailto:[EMAIL PROTECTED] > > Sent: Monday, July 28, 2003 4:54 PM > > To: Tomcat Users List > > Subject: Re: HTTPS session strangeness with Tomcat 4.0.6 > > > > > > No. I just tried with Netscape 7.1, IE 5.5, and IE 6.0. > > Same results for all. It's definitely a Tomcat thing. > > - Dan > > > > > Dan, > > > > > > Does it matter which browser you use? I am experiencing (so far without > > > resolution) problems invalidating and re-establishing sessions and > > > refreshing pages based on session status when I use IE but have the same > > > pages operate perfectly under NetScape. > > > > > > Murray > > > -----Original Message----- > > > From: Dan Lipofsky [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, 29 July 2003 06:54 > > > To: [EMAIL PROTECTED] > > > Subject: HTTPS session strangeness with Tomcat 4.0.6 > > > > > > > > > I have a login JSP that does a session.setAttribute and all > > > subsequent pages do a session.getAttribute to ensure the > > > user is logged in. The login page uses HTTPS and then > > > redirects to HTTP for subsequent pages. This worked in > > > Tomcat 3.2.4 but fails in Tomcat 4.0.6, 4.1.24, and 5 alpha. > > > BUT THE WAY IT FAILS IS PARTICULARLY BIZARRE - it will fail > > > the first time but work the second time. This is very > > > consistent. Below are 2 extremely simple JSPs that demo the > > > problem. The first only sets the attribute and provides a > > > link to the second. The second displays the attribute. The > > > first time through it will say "TEST=null". If you then hit > > > the back button and refresh the first page and click next > > > again it will say "TEST=TEST_VAL" like it should > > > > > > > > > *** First JSP: https://www3.nuserve.com:8011/testS1.jsp *** > > > > > > <% > > > System.out.println("Setting TEST_KEY=TEST_VAL"); > > > session.setAttribute("TEST_KEY","TEST_VAL"); > > > %> > > > <a href="http://www3.nuserve.com:8010/testS2.jsp";>next</a> > > > > > > > > > *** Second JSP: http://www3.nuserve.com:8010/testS2.jsp *** > > > > > > TEST=<%=session.getAttribute("TEST_KEY")%> > > > > > > > > > Does anyone have an idea what causes this or how to fix it? > > > Thanks, > > > Dan > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
