2 Replies Latest reply on Apr 9, 2004 2:38 AM by martin0

    Strange session behaviour?

    martin0 Novice

      I have observed the following repeatable behaviour. The behaviour seems odd to me, but it may be correct. I have yet to try it on tomcat 5 standalone. This on JBoss 3.2.3 and 3.2.4RC2

      The web app has 3 pages
      restricted.jsp (protected with form based container auth)
      logout.jsp (does session invalidate & requestdispatch forward to index.jsp)

      1) access index.jsp on http (session1)
      2) follow https link to restricted.jsp (session1)
      3) follow https link to logout.jsp (session1)
      4) now at https version of index.jsp with session2
      5) do step 2 again (session2)
      6) follow http link to index.jsp (session3!!! I would expect session2 still)

      To summarise:
      starting with an http link going to https retains the current session, but starting with https and going to http does not retain the session.

      I've read that old browsers don't retain sessions between http and https, but I'm using IE 6 patched up to date.

      Apologies that this isn't necessarily anything to do with JBoss but this is the only platform I've tried it on yet.

      It may be that the form based auth is an irrelevance - I've not done that simplification yet.

      Do any gurus have advice on this?