Sam Gendler wrote: > Is it possible that sessions aren't persistent when switching between > connectors. The proxyPort attribute on the connector did fix my problem, > but I've discovered that logging in over an https connection only works if I > click the remember-me checkbox, which sets a cookie on the client and stores > some state in a db which can associate the cookie with the identity of the > user. If I don't use remember me, the authentication occurs when connected > via the secure connector and the user's identity is stored in the session, > but when the system switches back to the other connector, it fails to find > the authorization info in the session, so it redirects right back to the > login page via https. I suspect the session cookie is being set as > https-only, so it doesn't get passed back when accessing via http. Is there > any way to correct this behaviour?
No. That is by design. The session ID is almost as valuable as the password. If you need SSL to protect the password, you should use SSL to protect the session ID. You can work your way around this with code if you really want to. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
