André Warnier wrote:
A lot of speculation here, but who knows ?
Indeed. And it is all wrong.
To my knowledge, there exists no case where the browser would not send a
cookie with every request, if it has it and it is valid.
Well, there is the obvious example Rainer has already given of cookies
marked as secure. Given that the session is created under https this is
probably what is happening. Sessions are not maintained in transitions from
https to http.
If you need to protect the session creation with https then you should
almost certainly be providing the same level of protection for the session ID.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
