users@glassfish.java.net

Re: http session lost when switching from https to http (on cluster)

From: Jan Luehe <Jan.Luehe_at_Sun.COM>
Date: Thu, 26 Feb 2009 11:42:10 -0800

Hi Adam,

On 02/26/09 10:56 AM, glassfish_at_javadesktop.org wrote:
> Hi Jan,
>
> thanks for answer, it is exactly as you wrote.
>
> I have found that I can force JSESSIONIDVERSION to be always unsecure (in sun-web.xml) and this solves my problem,
Great! Glad you figured this out as a possible workaround!
> however isn't it strange behaviour?
>
> I mean, if JSESSIONID is marked properly why JSESSIONIDVERSION is not?
>
Because unlike the JSESSIONID cookie, which is appended only to the first
response (since it will never change from then on), the JSESSIONIDVERSION
cookie is appended to every response, as its value is incremented for
each request,
and the default behaviour for cookies is to inherit the security setting
of the request.

> My scenario is quite popular, home page, login using secure connection and go back to home page or other pages which can be unsecure. With, I guess, standard behaviour of JSESSIONIDVERSION it will always fail.
>
True.

Would you mind filing an issue in the GlassFish IssueTracker under the
"failover"
category and assign to jluehe?

BTW, which version of GlassFish are you using?

Thanks,

Jan

> Nevertheless, thanks for your help.
>
> Regards,
> Adam
> [Message sent by forum member 'adeboinfo' (adeboinfo)]
>
> http://forums.java.net/jive/thread.jspa?messageID=334060
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>