Hi We are trying to get around the following problem:
We have a bunch of apaches running mod_jk in front of an JBoss farm. The application requires a login to get a valid session. Research in the Internet has schown the information the in oder to maintain a session over http and https the JSESSIONID must be established during an http reqeust. This is to get the cookie not marked as 'secure', so the the browser can send the cookie over both connections (http and https). So we provide the login page in http delivered out of the tomcat, thus getting an JSESSIONID with 'secure=no'. The following POST then uses https to transport the username and password for login. What we see now is that when the session switches from http to https the JSESSIONID cookie gets overwritten with the same value (the ID) but the secure flag is now set to 'true'. The user gets then dropped out of his session when the application switches back to http. The flow is like this: http (cookie gets set with flag 'secure=no') -> https (cookie gets reset with flag 'secure=yes') -> http (session context gets lost, due to browser does not send the jsessionid cookie to the server) How can we prevent to get the cookie reset with 'secure=yes' when switching to https and already having a established sessionid? Help would be appretiated. With kind regards, christian kupferschmid
