> > It makes sense that going from step 1 to step 2 is going to yield a
> > new sessionID, because a new window is being opened.
>
> Not really (makes sense, I mean).
It's likely that the user has closed the browser down between sessions.
Also, a new window being opened in IE will have a new sessionID.
> <plug-in className="org.apache.struts.action.SecurePlugIn">
> <set-property property="httpPort" value="8080"/>
> <set-property property="httpsPort" value="8443"/>
> <set-property property="enable" value="true"/>
> <set-property property="addSession" value="false"/>
> </plug-in>
I have:
<plug-in className="org.apache.struts.action.SecureTilesPlugin">
<set-property property="httpPort" value="80"/>
<set-property property="httpsPort" value="8443"/>
<set-property property="enable" value="true"/>
<set-property property="addSession" value="true"/>
</plug-in>
>From the sslext page:
Also added is the ability to configure the "always add Session ID to URL
feature". This feature was added in a previous release to compensate for
older browsers that do not automatically share sessions between the http and
https protocols. If you are sure that this problem will not exist for you,
you can now disable this feature through the "addSession" property of the
SecurePlugIn (or SecureTilesPlugin).
The users are all using WinXP with IE or Firefox, so "older browser" doesn't
sound right.
> SSL will (I think by default?) create a new session; you have
> to explicitly tell it to share session with non-SSL.
The thing is, it doesn't create a new sessionID when the user comes in
through a link on the website. It's only when they click on a link in an
email which sends them into an Action, which forwards them to the https
page. So maybe that's the problem? The session ID isn't being held onto in
the forward from http to https, because it hasn't yet been returned to the
client? If so, then maybe the fix is just to set redirect to true...
Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
