For the impatient
-----------------------
I'm questioning the validity of line #522 of
jakarta-tomcat-4.1.18-src/catalina/src/share/org/apache/catalina/
connector/HttpResponseBase.java
please read on since I think I have done all of the work for you - I
just need a question answered
Background
-------------------
I'm running Tomcat 4.1.18
My application creates a Session (i.e. Shopping Cart) on a web site.
All shopping is done using HTTP, but when the user is ready to pay, we
switch to HTTPS.
Problem:
-----------------
If the user's browser doesn't support cookies, the contents of the
shopping cart are lost
every time they click on an HTTPS link.
My initial investigation:
--------------------------------
I have code like the following in my application:
response.encodeURL("http://www.uncalendar.com/shopping.jsp";);
-- and --
response.encodeURL("https://www.uncalendar.com/payment.jsp";);
Notice that one is HTTP and the other is HTTPS
I verified that in the first case, the method added the
";jsessionid=38339839843989384398439843"
but in the second case the jsessionid did NOT get added.
Both of these are displayed on the same HTML page.
This clearly explains why the shopping cart is lost. The question is,
why did response.encodeURL()
not encode my HTTPS URL. Both URLs reference www.uncalendar.com!!!!
My investigation of the Tomcat Source
---------------------------------------------------
I was surprised to find the following at line # 522 of
jakarta-tomcat-4.1.18-src/catalina/src/share/org/apache/catalina/
connector/HttpResponseBase.java
// Does this URL match down to (and including) the context path?
if (!hreq.getScheme().equalsIgnoreCase(url.getProtocol()))
return (false);
This basically says "If the current request is HTTP and the url being
encoded uses HTTPS,
then the url cannot be encoded and the jsessionid will be lost if the
user clicks on this link"
At line 540, it is even more obvious:
if (serverPort != urlPort)
return (false);
"If I'm using port 80 but the url links to port 443, then jsessionid is
toast."
My questions to the Tomcat masters
-----------------------------------------------
1) Is this a bug in Tomcat?
2) If not, how is one supposed to keep a Shopping Cart when switching
between
HTTP and HTTPS if the users browser doesn't support cookies?
Closing comments
----------------------------
Thanks for any help!
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
