You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Philipp Leusmann <ph...@post.rwth-aachen.de> on 2003/08/28 20:27:52 UTC

Netscape Session problem

Hi,

in my Application I am running into trouble with getting the same session
for http- and https-pages.
I am using a security-constraint for some pages to use a https connection.
But when the user gets a session on a http-page he doesn´t get the same
session on a https-page. At least in Netscape7.0 and older Mozillas he
doesn´t. In IE , Opera and Mozilla 1.4 it works without problems.
Is there anything I can do about that? Can i alter security-constraints
during runtime?

Thanks in advance,
 Philipp

Re: Netscape Session problem

Posted by Tim Funk <fu...@joedog.org>.

In summary: (So i got it right)

You are going from http-->https and wish to retain the session in the transition.

With IE , Opera and Mozilla 1.4 - ALL OK
Older Moz, and Netscape 7(and less) - a new session is made. (Not ok?)

If thats the case I have no clue but a workaround is to ditch the security 
constraint in web.xml and create a Filter on all pages which checks for 
request.isSecure() and issues a redirect doing the session encoding for you 
to the https version.

For example:
public void doFilter(...) {
      if (request.isSecure()) {
          chain.doFilter(request, response);
      } else {
          HttpServletRequest req = (HttpServletRequest)request;
          HttpServletResponse res = (HttpServletResponse)response;
          StringBuffer url = request.getURL();
          if (null!=request.getQueryString())
              url.append("?").append(request.getQueryString());

          response.sendRedirect("https://" +
                                 request.getServerName() +
                                 response.encodeURL(url));
      }
}
-Tim

Philipp Leusmann wrote:

> Hi,
> 
> in my Application I am running into trouble with getting the same session
> for http- and https-pages.
> I am using a security-constraint for some pages to use a https connection.
> But when the user gets a session on a http-page he doesn´t get the same
> session on a https-page. At least in Netscape7.0 and older Mozillas he
> doesn´t. In IE , Opera and Mozilla 1.4 it works without problems.
> Is there anything I can do about that? Can i alter security-constraints
> during runtime?
> 
> Thanks in advance,
>  Philipp
>