Conveying servlet sessions by SSL session is clearly not required by the
spec, though...
I'm not sure whether Tomcat supports this...
Bernhard Slominski wrote:
Hi,
I just looked it up in the spec and there is a 3rd one as well: SSL Sessions
From the Servlet spec:
"SRV.7.1 Session Tracking Mechanisms
The following sections describe approaches to tracking a user's sessions
SRV.7.1.1 Cookies
Session tracking through HTTP cookies is the most used session tracking
mechanism and is required to be supported by all servlet containers.
The container sends a cookie to the client. The client will then return the
cookie on each subsequent request to the server, unambiguously associating
the
request with a session. The name of the session tracking cookie must be
JSESSIONID.
SRV.7.1.2 SSL Sessions
Secure Sockets Layer, the encryption technology used in the HTTPS protocol,
has a
built-in mechanism allowing multiple requests from a client to be
unambiguously
identified as being part of a session. A servlet container can easily use
this data to
define a session.
SRV.7.1.3 URL Rewriting
URL rewriting is the lowest common denominator of session tracking. When a
client will not accept a cookie, URL rewriting may be used by the server as
the basis
for session tracking. URL rewriting involves adding data, a session ID, to
the URL
path that is interpreted by the container to associate the request with a
session.
The session ID must be encoded as a path parameter in the URL string. The
name of the parameter must be jsessionid.
..."
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
