On Thu, Mar 19, 2015 at 9:41 AM, Martin Polívka <martasdx....@gmail.com> wrote:
> Hi, I am quite new to Tapestry, but last month I am upgrading our app from > Tapestry 5.0.14 to 5.3.8. It's working now with one problem. > We use Tomcat 7, servlet 3.0 (in the future Tomcat 8 and servlet 3.1) and > Java 7. Tomcat listens on http (8080) and https(8443). If I use https, > everything is OK. > If I use http, I enter login page off app and SessionState object is > created. I can see Session ID (equals X). It's done > by contributeApplicationStateManager function in Module. Another contribute > is for URL (contributeServiceOverride) where we use only https connection. > That's because we want all ajax requests to go over https even if user is > on http. > So if user log in, session and cookie is created with atribute httpOnly and > if I send ajax request to https, another session is created by Tapestry. > Is it possible to access the http session in https request? > > In general, no, it's not possible. This is a security issue and it's not related to Tapestry. Container-specific configuration may allow joining/sharing sessions on the servers (I recall having done something similar in the past with Tomcat). I'd advise simply using https everywhere, it'll make your life easier. Kalle
