Tomcat 4/SSL/mod_webapp - losing session data when switching to SSL

[Les Hazlewood <le...@hazlewood.com>]

Hello folks... 

I have something that I'm just completely stumped on....while Google has 
been my best friend the last 5 hours, I still haven't found a solution. 

The problem: 

When going from http://mydomain/whatever.jsp 

to 

https://mydomain/secureArea/anything.jsp 

Funny things happen. 

Basically...this is the scenario: 

A user goes from an unsecure page to the secure area (https), and logs in. 

Upon succes, I populate the user object (session accessible bean) with all 
the yummy info I need (user_id, name, etc). 

When I go BACK to an http url from the secure https part, I don't have my 
session data for that user anymore :( 

I actually checked my database where I store session id's, and when they go 
from http to https to log in, Tomcat creates a new session, thereby blanking 
out my session I created previously. 

I'm using Apache, and I have Tomcat integrated as the backend jsp/servlet 
processor using mod_webapp to connect to tomcat. 

In Apache, the website has two virtual host entries (one for port 80, one 
for port 443), which is needed by apache to distinguish what protocol to use 
& when.  In Tomcat's server.xml the site has just one context declared 
within a <host> attribute for that site.  Both of these virtual hosts 
directives connect to the same webapp connector for this Context when 
passing requests to Tomcat 4. 

In Tomcat's server.xml, I have the Apache Tomcat connector defined, and I 
have included the secure="true" attribute to allow for secure connecting. 

I need Tomcat to use the same session when accessing any page on the 
site...over http or https.  How can I make this happen? 

Am I configuring the virtual hosts in Apache incorrectly? (I don't think so, 
but if there is some slick way to have one virtual host listen to 2 port 
numbers in Apache from one vhost declaration, I'm all ears). 

Do I need another webapp connection to tomcat instead of using just one? One 
for http requests, one for https requests?  I don't think this is correct 
either, since it says in the Tomcat documentation that Tomcat doesn't have 
to know about the connections if a server like Apache/IIS is already doing 
the ssl encryption/decryption stuff prior to sending stuff to Tomcat (which 
is what is happening). 

Do I have to do anything with the portRedirect attribute in the 
Apache-Tomcat connector?  I know you can use this to automatically direct 
http to https connections.  But until this session sharing problem is fixed, 
redirecting won't help me. 

Summary:  How do I use the same session data from one https page to another 
http page and vice versa for the same user without creating a new session? 

If you can even remotely help me, I'll be your best friend.  My mom makes 
some pretty good pie too... 

mmmm....pie. 

Thanks a TON for anything you folks can point out! 

Les Hazlewood 

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>