Hi Mark,
Thanks for this. I didn't quite fully grock your reply. Given:
https request: get session returns session A.
https request: get session returns session A.
http request: get session (no create) returns null
http request: get session(create) returns session B != A.
https request: get session returns ?
i.e. will the newly created session B replace session A, or will A
continue to be returned for https requests? I suspect it will return B,
on the assumption the client does not store separate JSESSIONIDs for
secure and insecure channels, but I'm not sure.
And yes I have read the servlet specs - it is frustrating that I can't
seem to find what I'm looking for in them. I'm not blaming the specs
for that - I'm responsible.
I just had another extensive search and failed to find what I'm looking
for. One might think that section SRV.7.2 Creating a Session might
cover it, but it doesn't and nor does any of SRV.7, the section on
Sessions, that I have found. The APIs define the result of the
getSession() to be the "session associated with" this request. A text
search for "session associated with" finds nothing useful.
If you or anyone can narrow down where I should look for the
specification of the behaviour you describe, I'd be most grateful.
Brian
On 14/09/2010 12:55, Mark Thomas wrote:
On 14/09/2010 10:40, Brian McBride wrote:
The javadoc states this call returns the "session associated with the
request". I'm trying to figure out what "the session associated with
the request" actually means.
Specifically, if I have the same client sending https and http requests
intermixed in time, will there be two sessions objects, one for the
secure requests and one for the insecure ones, or just one.
It depends where the session is created. Sessions created under http
should transition to https (and back) without a problem. If you create
the session under https then the session will not transition to http.
The next http request will trigger a new session to be created.
And, if there are two is this documented anywhere?
Have you read the Servlet specs?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
