You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Anhony <an...@comcast.net> on 2005/04/28 15:29:24 UTC
Session lost when switching from https to http in Tomcat 5.
I have a servlet/JSP application in which users establish their servlet
session using https but conduct the rest of their interactions using http.
The session appears not to be preserved between https and http, ie. after
switching from back to http the request.getSession(false) call returns null.
Can anyone shed light on this for me? Is this expected? Is there a
workaround/configuration/setting in Tomcat 5 I might have missed?
Thanks
Anthony
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Session lost when switching from https to http in Tomcat 5.
Posted by David Smith <dn...@cornell.edu>.
Last I knew sessions are not shared between SSL and non-SSL connections
by design (as opposed to a bug). Your best bet is probably:
1. Start a session on the non-ssl side
2. Forward the user to the ssl login w/ the session id in the request
3. The ssl login stores the session id and any other important info in a
shared persistence layer (i.e. database) and forwards back to the
non-ssl side
4. The non-ssl side checks the persistence layer for it's session id and
any other info left by the login page.
--David
Anhony wrote:
> I am using Tomcat 5.0.28
>
> Users log into my application from https://xxx.com/login.jsp. When
> submitted, I check for a valid userID/Password, create a session with
> getSession(), and then save the userID/Password in a session variable.
> The validated user is then returned to my main tools page. If the user
> then selects a link to a non secure page, http://..., I get a return
> of null when performing getSession( false) when trying to check that
> the user is valid.
>
> Thanks for the help.
>
> Anthony
>
>
> ----- Original Message ----- From: "Anto Paul" <an...@gmail.com>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Thursday, April 28, 2005 10:26 AM
> Subject: Re: Session lost when switching from https to http in Tomcat 5.
>
>
> On 4/28/05, Anhony <an...@comcast.net> wrote:
>
>> I have a servlet/JSP application in which users establish their servlet
>> session using https but conduct the rest of their interactions using
>> http.
>>
>> The session appears not to be preserved between https and http, ie.
>> after
>> switching from back to http the request.getSession(false) call
>> returns null.
>> Can anyone shed light on this for me? Is this expected? Is there a
>> workaround/configuration/setting in Tomcat 5 I might have missed?
>>
>> Thanks
>>
>> Anthony
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
> Please specify version of Tomcat and URLs which you used which caused
> problems.
> It is working fine for me on Tomcat 4.1.12,4.1.30,4.1.31.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Session lost when switching from https to http in Tomcat 5.
Posted by Anhony <an...@comcast.net>.
I am using Tomcat 5.0.28
Users log into my application from https://xxx.com/login.jsp. When
submitted, I check for a valid userID/Password, create a session with
getSession(), and then save the userID/Password in a session variable. The
validated user is then returned to my main tools page. If the user then
selects a link to a non secure page, http://..., I get a return of null when
performing getSession( false) when trying to check that the user is valid.
Thanks for the help.
Anthony
----- Original Message -----
From: "Anto Paul" <an...@gmail.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Thursday, April 28, 2005 10:26 AM
Subject: Re: Session lost when switching from https to http in Tomcat 5.
On 4/28/05, Anhony <an...@comcast.net> wrote:
> I have a servlet/JSP application in which users establish their servlet
> session using https but conduct the rest of their interactions using http.
>
> The session appears not to be preserved between https and http, ie. after
> switching from back to http the request.getSession(false) call returns
> null.
> Can anyone shed light on this for me? Is this expected? Is there a
> workaround/configuration/setting in Tomcat 5 I might have missed?
>
> Thanks
>
> Anthony
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
Please specify version of Tomcat and URLs which you used which caused
problems.
It is working fine for me on Tomcat 4.1.12,4.1.30,4.1.31.
--
rgds
Anto Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Session lost when switching from https to http in Tomcat 5.
Posted by Anto Paul <an...@gmail.com>.
On 4/28/05, Anhony <an...@comcast.net> wrote:
> I have a servlet/JSP application in which users establish their servlet
> session using https but conduct the rest of their interactions using http.
>
> The session appears not to be preserved between https and http, ie. after
> switching from back to http the request.getSession(false) call returns null.
> Can anyone shed light on this for me? Is this expected? Is there a
> workaround/configuration/setting in Tomcat 5 I might have missed?
>
> Thanks
>
> Anthony
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
Please specify version of Tomcat and URLs which you used which caused problems.
It is working fine for me on Tomcat 4.1.12,4.1.30,4.1.31.
--
rgds
Anto Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org