You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Joshua Szmajda <jo...@loki.ws> on 2002/09/06 20:36:21 UTC
passing a session from non-SSL to SSL
Hi all,
I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and I'm
noticing that my application is now losing track of its sessions when I
switch from non-SSL to SSL. The code worked fine in Tomcat 3.2.. I was
wondering if there's something I'm missing. My server.xml has a single
Ajp13 connector and a plain vanilla host / context configuration. I've
JKMount'ed /* to ajp13 in apache on both the normal and SSL virtual hosts.
I'm sure it's something in the spec that's changed, but I can't for
the life of me find out what. Changing the code is possible, but
preferably avoidable as I didn't write it.
Thanks in advance!
-Joshua Szmajda
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: passing a session from non-SSL to SSL
Posted by Milt Epstein <me...@uiuc.edu>.
On Thu, 12 Sep 2002, Gary Lyons wrote:
> Does anyone have an answer for this?? I can't find anything in the
> docs that covers this. Please help.
Check the archives, this question has come up before.
And there were a couple of responses (including one or two from me)
when this was first posted, a week or so ago.
> Joshua Szmajda wrote:
>
> > Hi all,
> >
> > I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and I'm
> > noticing that my application is now losing track of its sessions when I
> > switch from non-SSL to SSL. The code worked fine in Tomcat 3.2.. I was
> > wondering if there's something I'm missing. My server.xml has a single
> > Ajp13 connector and a plain vanilla host / context configuration. I've
> > JKMount'ed /* to ajp13 in apache on both the normal and SSL virtual hosts.
> >
> > I'm sure it's something in the spec that's changed, but I can't for
> > the life of me find out what. Changing the code is possible, but
> > preferably avoidable as I didn't write it.
> >
> > Thanks in advance!
> > -Joshua Szmajda
> >
> > --
> > To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> > For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
mepstein@uiuc.edu
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: passing a session from non-SSL to SSL
Posted by Gary Lyons <gl...@lyonsinc.com>.
Does anyone have an answer for this?? I can't find anything in the docs that
covers this. Please help.
Gary Lyons
Joshua Szmajda wrote:
> Hi all,
>
> I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and I'm
> noticing that my application is now losing track of its sessions when I
> switch from non-SSL to SSL. The code worked fine in Tomcat 3.2.. I was
> wondering if there's something I'm missing. My server.xml has a single
> Ajp13 connector and a plain vanilla host / context configuration. I've
> JKMount'ed /* to ajp13 in apache on both the normal and SSL virtual hosts.
>
> I'm sure it's something in the spec that's changed, but I can't for
> the life of me find out what. Changing the code is possible, but
> preferably avoidable as I didn't write it.
>
> Thanks in advance!
> -Joshua Szmajda
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: passing a session from non-SSL to SSL
Posted by Milt Epstein <me...@uiuc.edu>.
On Fri, 6 Sep 2002, Joshua Szmajda wrote:
> Hi all,
>
> I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and
> I'm noticing that my application is now losing track of its sessions
> when I switch from non-SSL to SSL. The code worked fine in Tomcat
> 3.2.. I was wondering if there's something I'm missing. My
> server.xml has a single Ajp13 connector and a plain vanilla host /
> context configuration. I've JKMount'ed /* to ajp13 in apache on both
> the normal and SSL virtual hosts.
>
> I'm sure it's something in the spec that's changed, but I can't
> for the life of me find out what. Changing the code is possible, but
> preferably avoidable as I didn't write it.
It's well known that Tomcat does not preserve sessions when switching
from SSL to non-SSL (and/or vice-versa). Don't know about earlier
versions, but that's true of the current version. You can check the
archives to see where others have brought this up.
I don't think this is a spec issue, so I guess either it was an
implementation choice by the Tomcat developers or perhaps there's no
way (or no easy way) around it. If it was an implementation choice, I
don't know what it was based on. I believe there are other servlet
containers that you can set up so that such switching does not lose
sessions. I'm not sure of all the technical issues involved.
Also note that some will say that it doesn't make sense to switch back
and forth between SSL and non-SSL because security is compromised.
Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
mepstein@uiuc.edu
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>