Hi, The HttpSession must be created within HTTP request if you want to share it between HTTP and HTTPS requests. A session created by HTTPS request is not shared with HTTP requests. The reason is that the JSESSIONID cookie created in HTTPS is "secure" and it is not preserved for the HTTP requests, so the session is "lost". I guess encoding the jsessionid in the url will fix this problem.
In Wicket code we have this comment about this: https://github.com/apache/wicket/blob/master/wicket-core/src/main/java/org/apache/wicket/protocol/https/HttpsMapper.java#L336-L337 Some extra links: - http://stackoverflow.com/a/15067895/497381 - http://www.nuwanbando.com/2010/05/sharing-https-http-sessions-in-tomcat/ Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Tue, Jan 12, 2016 at 1:57 AM, Arjun Dhar <[email protected]> wrote: > Hi, > I have an admin Panel that is on HTTPS. It allows a user to preview a link > on the site on HTTP. > The problem is when doing that, when I return to the Admin Pane land > perform > any Ajax request, then what I get is: > org.apache.wicket.protocol.http.PageExpiredException: Request cannot be > processed. The target page does not exist anymore. > > Observations: > a. The session is being invalidated. > b. The JSESSION ID in the admin to start and the target page were the same > (surprised, since I thought from HTTPS to HTTP a new JSESSIONID should be > grated in target Window?) > > If someone can explain (a) & (b) and as a bonus any work around without > compromising security. > FOr me this is a Nice to Have not a Must have, but I need to understand > whats going on here. > > thanks > > > > > ----- > Software documentation is like sex: when it is good, it is very, very > good; and when it is bad, it is still better than nothing! > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/HTTPS-to-HTTP-invalidates-Session-tp4673262.html > Sent from the Users forum mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
