Added a new ServletContext parameter "forceHttpSession" that when set to true forces the JSESSIONID cookie to be sent via http
This resolves an issue in the ecommerce app where if the initial request to the app is an https request then the session cookie is available via https only.
Subsequently if at any point the user switches to http then the session is lost along with any data such as the shopping cart.
The solution involves checking if the request is an https request and if the session is new then the user is redirected to an http version of the request.
The session cookie is then sent along with the http response which will either be the page requested if the request doesn't require https or otherwise another
redirect back to the https version.
|