Session lost when switching from https to http (tomcat 6.0.26)

i'm developping a web app (jsf 2.0 + facelets + richfaces 3.3.3 + oracle 10g + tomcat 6.0.26)

in my app, there's is 1 path that is not secured, and the others are secured (web.xml):

<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/faces/login.jsp</form-login-page>
        <form-error-page>/faces/error.jsp</form-error-page>
    </form-login-config>
</login-config>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Admin_Resource</web-resource-name>
        <description/>
        <url-pattern>/faces/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>A</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<security-role>
    <description>Role admin</description>
    <role-name>A</role-name>
</security-role>

So, this path is not secured: /faces/client/*. when i move from https tp http, i use this function:

FacesContext.getCurrentInstance().getExternalContext().redirect("http://url/faces/client/page.xhtml");

When i deploy my app, and use this url: http(s)://url/MyContext/faces/..., all worked fine.

But when i moved my app to the ROOT context, so i use this url : http(s)://url/faces/, my https session is lost when i move from https to http, then back to https. My login page shows up, so i need to re-type my login and password.

Why is my session lost ? Is there something wrong ?

Add: when i deploy my app, here's what i do (external server):

• put my war file into webapp folder

• start my server (that will decompress my war into folders,...), then stop it

• i delete my war fil开发者_StackOverflow社区e

• i replace the content of ROOT folder with the content of the decompressed war file

• and restart my server again

but all works fine when i put my war into webapp folder, then start the server (that's all).

So, i think it's a context problem.

Do you have any ideas ?

This an old question but it's worth answering because I just ran into it and the answer ended up being really simple. First, it makes complete sense that the session should be regenerated on the same session cookie name when going back and forth between HTTP and HTTPS. By default in Tomcat the session cookie name is JSESSIONID.

In Tomcat you can very simply change the name of the session cookie. I had two webapps, one HTTP and another HTTPS, for admin tools. Anytime the HTTP webapp opened I lost my session in the HTTPS webapp. All I had to do was add the sessionCookieName to the context of my HTTPS webapp:

<context sessionCookieName="ANOTHERCOOKIENAME" ...

This won't help if you're switching between HTTP and HTTPS in the same webapp, but you shouldn't do that anyway.