2 Replies Latest reply on Apr 9, 2004 2:38 AM by martin0

    Strange session behaviour?

    martin0

      I have observed the following repeatable behaviour. The behaviour seems odd to me, but it may be correct. I have yet to try it on tomcat 5 standalone. This on JBoss 3.2.3 and 3.2.4RC2

      The web app has 3 pages
      index.jsp
      restricted.jsp (protected with form based container auth)
      logout.jsp (does session invalidate & requestdispatch forward to index.jsp)

      1) access index.jsp on http (session1)
      2) follow https link to restricted.jsp (session1)
      3) follow https link to logout.jsp (session1)
      4) now at https version of index.jsp with session2
      5) do step 2 again (session2)
      6) follow http link to index.jsp (session3!!! I would expect session2 still)

      To summarise:
      starting with an http link going to https retains the current session, but starting with https and going to http does not retain the session.

      I've read that old browsers don't retain sessions between http and https, but I'm using IE 6 patched up to date.

      Apologies that this isn't necessarily anything to do with JBoss but this is the only platform I've tried it on yet.

      It may be that the form based auth is an irrelevance - I've not done that simplification yet.

      Do any gurus have advice on this?

      Thanks
      Martin

        • 1. Re: Strange session behaviour?
          martin0

          This behaviour also occurs on tomcat 5.0.19 with no container based security constraints.

          Why does session survive http to https transition, but not from https to http? (If it started in https world)

          Martin

          • 2. Re: Strange session behaviour?
            martin0

            For anyone who wants to know - I'm told it's for security reasons (so that it isn't possible to steal sensitive information that was entered in via SSL).


            Makes sense.

            Martin