You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Manuel Mall <MM...@arcus.com.au> on 2002/03/26 11:17:56 UTC

Session lost when switching from https to http in Tomcat 4

Has the session semantic changed between Tomcat 3 and Tomcat 4?

We have a servlet/JSP application in which users establish their servlet
session using https but conduct the rest of their interactions using http.
This works fine under Apache 1.3.22 with Tomcat 3.2.1 connecting using
ajp12.

After upgrading to Tomcat 4.0.3 now using ajp13 the session appears not to
be preserved between https and http, ie. after switching back to http the
request.getSession(false) call returns null.

This seems to indicate that the session tracking mechanism has changed
between Tomcat 3 and Tomcat 4. Can anyone shed light on this for me? Is this
expected? Is there a workaround/configuration/setting in Tomcat 4 I might
have missed?

Thanks

Manuel

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

RE: Session lost when switching from https to http in Tomcat 4

Posted by Gurmeet <gu...@indicom.co.in>.
Anders thanks a lot.

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Tuesday, March 26, 2002 7:34 PM
To: Tomcat Users List
Subject: Re: Session lost when switching from https to http in Tomcat 4


Gurmeet,
I (or rathe my college), removed the line that appends "&Secure" to
JSESSIONIDs.

Anders

----- Original Message -----
From: "Gurmeet" <gu...@indicom.co.in>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Tuesday, March 26, 2002 14:32
Subject: RE: Session lost when switching from https to http in Tomcat 4


Thanks Anders,

But as you must be knowing if I implement a HttpSessionBindingListener then
it would still be a problem.

Can u please elaborate on the patching u did on CookieTool class.

Regards
Gurmeet

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Tuesday, March 26, 2002 6:49 PM
To: Tomcat Users List
Subject: Re: Session lost when switching from https to http in Tomcat 4


Gurmeet,
The only known workarounds I know of are handling sessions in URLs or
patching the CookieTools class which we did.

Anders

----- Original Message -----
From: "Gurmeet" <gu...@indicom.co.in>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Tuesday, March 26, 2002 13:51
Subject: RE: Session lost when switching from https to http in Tomcat 4


Hi,

I just read this and tested for my app also wherein I would have the same
problem in coming days.

Any better way of overcoming this problem other than persisting the session
manually.

Regards,
Gurmeet

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Tuesday, March 26, 2002 4:08 PM
To: tomcat-dev@jakarta.apache.org; Tomcat Users List
Cc: Peter Tornberg
Subject: Re: Session lost when switching from https to http in Tomcat 4


You are right Manuel,

Tomcat 4.0.2 using SSL unfortunately always sets a &Secure flag
on JSESSIONIDs, which do not (depending on browser) allow
you to do this https->http switch.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6983

A Macintosh using IE 5 cannot even obtain a _standard_ SSL jsession due to
this.

This is why I have requested this behavior to become an option.

The option would actually disable a cookie-RFC compliant feature,
but so what, if you cannot get things to work?

cheers,
Anders

----- Original Message -----
From: "Manuel Mall" <MM...@arcus.com.au>
To: <to...@jakarta.apache.org>
Sent: Tuesday, March 26, 2002 11:17
Subject: Session lost when switching from https to http in Tomcat 4


Has the session semantic changed between Tomcat 3 and Tomcat 4?

We have a servlet/JSP application in which users establish their servlet
session using https but conduct the rest of their interactions using http.
This works fine under Apache 1.3.22 with Tomcat 3.2.1 connecting using
ajp12.

After upgrading to Tomcat 4.0.3 now using ajp13 the session appears not to
be preserved between https and http, ie. after switching back to http the
request.getSession(false) call returns null.

This seems to indicate that the session tracking mechanism has changed
between Tomcat 3 and Tomcat 4. Can anyone shed light on this for me? Is this
expected? Is there a workaround/configuration/setting in Tomcat 4 I might
have missed?

Thanks

Manuel

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: Session lost when switching from https to http in Tomcat 4

Posted by Anders Rundgren <an...@telia.com>.
Gurmeet,
I (or rathe my college), removed the line that appends "&Secure" to JSESSIONIDs.

Anders

----- Original Message ----- 
From: "Gurmeet" <gu...@indicom.co.in>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Tuesday, March 26, 2002 14:32
Subject: RE: Session lost when switching from https to http in Tomcat 4


Thanks Anders,

But as you must be knowing if I implement a HttpSessionBindingListener then
it would still be a problem.

Can u please elaborate on the patching u did on CookieTool class.

Regards
Gurmeet

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Tuesday, March 26, 2002 6:49 PM
To: Tomcat Users List
Subject: Re: Session lost when switching from https to http in Tomcat 4


Gurmeet,
The only known workarounds I know of are handling sessions in URLs or
patching the CookieTools class which we did.

Anders

----- Original Message -----
From: "Gurmeet" <gu...@indicom.co.in>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Tuesday, March 26, 2002 13:51
Subject: RE: Session lost when switching from https to http in Tomcat 4


Hi,

I just read this and tested for my app also wherein I would have the same
problem in coming days.

Any better way of overcoming this problem other than persisting the session
manually.

Regards,
Gurmeet

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Tuesday, March 26, 2002 4:08 PM
To: tomcat-dev@jakarta.apache.org; Tomcat Users List
Cc: Peter Tornberg
Subject: Re: Session lost when switching from https to http in Tomcat 4


You are right Manuel,

Tomcat 4.0.2 using SSL unfortunately always sets a &Secure flag
on JSESSIONIDs, which do not (depending on browser) allow
you to do this https->http switch.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6983

A Macintosh using IE 5 cannot even obtain a _standard_ SSL jsession due to
this.

This is why I have requested this behavior to become an option.

The option would actually disable a cookie-RFC compliant feature,
but so what, if you cannot get things to work?

cheers,
Anders

----- Original Message -----
From: "Manuel Mall" <MM...@arcus.com.au>
To: <to...@jakarta.apache.org>
Sent: Tuesday, March 26, 2002 11:17
Subject: Session lost when switching from https to http in Tomcat 4


Has the session semantic changed between Tomcat 3 and Tomcat 4?

We have a servlet/JSP application in which users establish their servlet
session using https but conduct the rest of their interactions using http.
This works fine under Apache 1.3.22 with Tomcat 3.2.1 connecting using
ajp12.

After upgrading to Tomcat 4.0.3 now using ajp13 the session appears not to
be preserved between https and http, ie. after switching back to http the
request.getSession(false) call returns null.

This seems to indicate that the session tracking mechanism has changed
between Tomcat 3 and Tomcat 4. Can anyone shed light on this for me? Is this
expected? Is there a workaround/configuration/setting in Tomcat 4 I might
have missed?

Thanks

Manuel

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

RE: Session lost when switching from https to http in Tomcat 4

Posted by Gurmeet <gu...@indicom.co.in>.
Thanks Anders,

But as you must be knowing if I implement a HttpSessionBindingListener then
it would still be a problem.

Can u please elaborate on the patching u did on CookieTool class.

Regards
Gurmeet

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Tuesday, March 26, 2002 6:49 PM
To: Tomcat Users List
Subject: Re: Session lost when switching from https to http in Tomcat 4


Gurmeet,
The only known workarounds I know of are handling sessions in URLs or
patching the CookieTools class which we did.

Anders

----- Original Message -----
From: "Gurmeet" <gu...@indicom.co.in>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Tuesday, March 26, 2002 13:51
Subject: RE: Session lost when switching from https to http in Tomcat 4


Hi,

I just read this and tested for my app also wherein I would have the same
problem in coming days.

Any better way of overcoming this problem other than persisting the session
manually.

Regards,
Gurmeet

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Tuesday, March 26, 2002 4:08 PM
To: tomcat-dev@jakarta.apache.org; Tomcat Users List
Cc: Peter Tornberg
Subject: Re: Session lost when switching from https to http in Tomcat 4


You are right Manuel,

Tomcat 4.0.2 using SSL unfortunately always sets a &Secure flag
on JSESSIONIDs, which do not (depending on browser) allow
you to do this https->http switch.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6983

A Macintosh using IE 5 cannot even obtain a _standard_ SSL jsession due to
this.

This is why I have requested this behavior to become an option.

The option would actually disable a cookie-RFC compliant feature,
but so what, if you cannot get things to work?

cheers,
Anders

----- Original Message -----
From: "Manuel Mall" <MM...@arcus.com.au>
To: <to...@jakarta.apache.org>
Sent: Tuesday, March 26, 2002 11:17
Subject: Session lost when switching from https to http in Tomcat 4


Has the session semantic changed between Tomcat 3 and Tomcat 4?

We have a servlet/JSP application in which users establish their servlet
session using https but conduct the rest of their interactions using http.
This works fine under Apache 1.3.22 with Tomcat 3.2.1 connecting using
ajp12.

After upgrading to Tomcat 4.0.3 now using ajp13 the session appears not to
be preserved between https and http, ie. after switching back to http the
request.getSession(false) call returns null.

This seems to indicate that the session tracking mechanism has changed
between Tomcat 3 and Tomcat 4. Can anyone shed light on this for me? Is this
expected? Is there a workaround/configuration/setting in Tomcat 4 I might
have missed?

Thanks

Manuel

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: Session lost when switching from https to http in Tomcat 4

Posted by Anders Rundgren <an...@telia.com>.
Gurmeet,
The only known workarounds I know of are handling sessions in URLs or
patching the CookieTools class which we did.

Anders

----- Original Message ----- 
From: "Gurmeet" <gu...@indicom.co.in>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Tuesday, March 26, 2002 13:51
Subject: RE: Session lost when switching from https to http in Tomcat 4


Hi,

I just read this and tested for my app also wherein I would have the same
problem in coming days.

Any better way of overcoming this problem other than persisting the session
manually.

Regards,
Gurmeet

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Tuesday, March 26, 2002 4:08 PM
To: tomcat-dev@jakarta.apache.org; Tomcat Users List
Cc: Peter Tornberg
Subject: Re: Session lost when switching from https to http in Tomcat 4


You are right Manuel,

Tomcat 4.0.2 using SSL unfortunately always sets a &Secure flag
on JSESSIONIDs, which do not (depending on browser) allow
you to do this https->http switch.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6983

A Macintosh using IE 5 cannot even obtain a _standard_ SSL jsession due to
this.

This is why I have requested this behavior to become an option.

The option would actually disable a cookie-RFC compliant feature,
but so what, if you cannot get things to work?

cheers,
Anders

----- Original Message -----
From: "Manuel Mall" <MM...@arcus.com.au>
To: <to...@jakarta.apache.org>
Sent: Tuesday, March 26, 2002 11:17
Subject: Session lost when switching from https to http in Tomcat 4


Has the session semantic changed between Tomcat 3 and Tomcat 4?

We have a servlet/JSP application in which users establish their servlet
session using https but conduct the rest of their interactions using http.
This works fine under Apache 1.3.22 with Tomcat 3.2.1 connecting using
ajp12.

After upgrading to Tomcat 4.0.3 now using ajp13 the session appears not to
be preserved between https and http, ie. after switching back to http the
request.getSession(false) call returns null.

This seems to indicate that the session tracking mechanism has changed
between Tomcat 3 and Tomcat 4. Can anyone shed light on this for me? Is this
expected? Is there a workaround/configuration/setting in Tomcat 4 I might
have missed?

Thanks

Manuel

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

RE: Session lost when switching from https to http in Tomcat 4

Posted by Gurmeet <gu...@indicom.co.in>.
Hi,

I just read this and tested for my app also wherein I would have the same
problem in coming days.

Any better way of overcoming this problem other than persisting the session
manually.

Regards,
Gurmeet

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Tuesday, March 26, 2002 4:08 PM
To: tomcat-dev@jakarta.apache.org; Tomcat Users List
Cc: Peter Tornberg
Subject: Re: Session lost when switching from https to http in Tomcat 4


You are right Manuel,

Tomcat 4.0.2 using SSL unfortunately always sets a &Secure flag
on JSESSIONIDs, which do not (depending on browser) allow
you to do this https->http switch.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6983

A Macintosh using IE 5 cannot even obtain a _standard_ SSL jsession due to
this.

This is why I have requested this behavior to become an option.

The option would actually disable a cookie-RFC compliant feature,
but so what, if you cannot get things to work?

cheers,
Anders

----- Original Message -----
From: "Manuel Mall" <MM...@arcus.com.au>
To: <to...@jakarta.apache.org>
Sent: Tuesday, March 26, 2002 11:17
Subject: Session lost when switching from https to http in Tomcat 4


Has the session semantic changed between Tomcat 3 and Tomcat 4?

We have a servlet/JSP application in which users establish their servlet
session using https but conduct the rest of their interactions using http.
This works fine under Apache 1.3.22 with Tomcat 3.2.1 connecting using
ajp12.

After upgrading to Tomcat 4.0.3 now using ajp13 the session appears not to
be preserved between https and http, ie. after switching back to http the
request.getSession(false) call returns null.

This seems to indicate that the session tracking mechanism has changed
between Tomcat 3 and Tomcat 4. Can anyone shed light on this for me? Is this
expected? Is there a workaround/configuration/setting in Tomcat 4 I might
have missed?

Thanks

Manuel

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: Session lost when switching from https to http in Tomcat 4

Posted by Anders Rundgren <an...@telia.com>.
You are right Manuel,

Tomcat 4.0.2 using SSL unfortunately always sets a &Secure flag
on JSESSIONIDs, which do not (depending on browser) allow
you to do this https->http switch.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6983

A Macintosh using IE 5 cannot even obtain a _standard_ SSL jsession due to this.

This is why I have requested this behavior to become an option.

The option would actually disable a cookie-RFC compliant feature,
but so what, if you cannot get things to work?

cheers,
Anders

----- Original Message ----- 
From: "Manuel Mall" <MM...@arcus.com.au>
To: <to...@jakarta.apache.org>
Sent: Tuesday, March 26, 2002 11:17
Subject: Session lost when switching from https to http in Tomcat 4


Has the session semantic changed between Tomcat 3 and Tomcat 4?

We have a servlet/JSP application in which users establish their servlet
session using https but conduct the rest of their interactions using http.
This works fine under Apache 1.3.22 with Tomcat 3.2.1 connecting using
ajp12.

After upgrading to Tomcat 4.0.3 now using ajp13 the session appears not to
be preserved between https and http, ie. after switching back to http the
request.getSession(false) call returns null.

This seems to indicate that the session tracking mechanism has changed
between Tomcat 3 and Tomcat 4. Can anyone shed light on this for me? Is this
expected? Is there a workaround/configuration/setting in Tomcat 4 I might
have missed?

Thanks

Manuel

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: Session lost when switching from https to http in Tomcat 4

Posted by Anders Rundgren <an...@telia.com>.
You are right Manuel,

Tomcat 4.0.2 using SSL unfortunately always sets a &Secure flag
on JSESSIONIDs, which do not (depending on browser) allow
you to do this https->http switch.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6983

A Macintosh using IE 5 cannot even obtain a _standard_ SSL jsession due to this.

This is why I have requested this behavior to become an option.

The option would actually disable a cookie-RFC compliant feature,
but so what, if you cannot get things to work?

cheers,
Anders

----- Original Message ----- 
From: "Manuel Mall" <MM...@arcus.com.au>
To: <to...@jakarta.apache.org>
Sent: Tuesday, March 26, 2002 11:17
Subject: Session lost when switching from https to http in Tomcat 4


Has the session semantic changed between Tomcat 3 and Tomcat 4?

We have a servlet/JSP application in which users establish their servlet
session using https but conduct the rest of their interactions using http.
This works fine under Apache 1.3.22 with Tomcat 3.2.1 connecting using
ajp12.

After upgrading to Tomcat 4.0.3 now using ajp13 the session appears not to
be preserved between https and http, ie. after switching back to http the
request.getSession(false) call returns null.

This seems to indicate that the session tracking mechanism has changed
between Tomcat 3 and Tomcat 4. Can anyone shed light on this for me? Is this
expected? Is there a workaround/configuration/setting in Tomcat 4 I might
have missed?

Thanks

Manuel

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>