users@glassfish.java.net

RE: Re: ssl and session support

From: <w.rittmeyer_at_jsptutorial.org>
Date: Wed, 17 Jan 2007 08:55:52 +0100

>>I've googled a bit - and have looked into the SJSAS developer and deployer guides - to see whether Glassfish supports SSL sessions as a means to provide http session handling - as stated in the servlet spec chapter SRV.7.1.2.
>>
>>But I couldn't find any hint that this would be the case.
>>
>>So I guess Glassfish does not support this as a third mechanism in addition to using cookies or url rewriting. Is this correct?
>>
>>
>
>Correct, the servlet container in GlassFish does not use any SSL session id to keep track of its own sessions. Neither does Tomcat. Do you know any servlet container that does?
>

Hi Jan,

thanks for your answer. I've guessed so. IBM's Websphere supports sessions using the SSL id as another option in addtion to URL rewriting and cookies. Though these sessions are not distributable.

I did not ask because of intending to use it on my own. I am just writing about session handling in my tutorial (about JSPs and the likes). And since I mention Glassfishs and Tomcats methods of blocking the usage of cookies I thought I could add s.th. about the usage of SSL-IDs, _if_ Glassfish provided it.

Just to let you know: I mention Glassfish more and more over there and intend to swap containers (I am using Tomcat right now) in the foreseeable future.


Wolfram Rittmeyer