Hi all,
We have a web application that we're migrating to
Tomcat 6 from OC4J. Half way thru the application flow it moves from HTTP to HTTPS. When it does this, instead of using the same session, it creates a new one and falls over. In OC4J there was a "shared=true" setting that meant the session was shared and the problem didn't occur. Tomcat is much more strict and does not allow sharing of the session between HTTP & HTTPS (its the law - well ,the
servlet spec!).
When our application goes secure, SSL is terminated at the firewall, so actually Tomcat never performs any SSL processing, although it has to realise certain pages are secure. We've achieved this using 2 connectors in the server.xml. The firewall sends requests to either a secure or non-secure virtual host in Apache, which knows to use the appropriate connector in Tomcat. One is pretty much a vanilla AJP1.3 connector for non-secure and the other has the scheme property set to https, along with secure set to true and SSLEnabled set to false. This seems to ensure that pages are rendered appropriately. So, although neither connector is _actually_ secure, the 2nd one believes that it is and does not use the same session as the 1st one.
Is their a way to achieve session sharing through configuration in this environment, or do I need to write code to pass session data over?
Thanks for your help,
Rich