Originally posted by Peter den Haan:
One crucial difference is that with HTTPS, the server can use the SSL session for session tracking (i.e., keeping track of your HttpSession). With plain old HTTP, the server needs to use a temporary cookie or URL rewriting.
- Peter
This is certainly a possibility. However, most of the
Java Web Container applications do not make use of HTTPS Session information for user level session tracking. One reason is that the code doing the session tracking is usually at a higher layer and same for both HTTP and HTTPS. Also, persistent cookie based session can survive a browser close whereas HTTPS based sessions cannot. There are also some interesting corner cases when a user creates a new Browser (by clicking Ctrl-N in IE) in the middle of a session.