1 person found this helpful
If I understand correctly, Flash/Flex has its own cookies. These have to be established separately. Otherwise, you will have to use the url rewriting approach to pass the jsessionid.
So this behavior is by design? It makes interaction within web apps pretty difficult. If someone can tell me the reasoning behind it, I'm all ears.
- This seems to be because browsers don't reliably provide Flash access to the headers. There are some serious security implications at play here too.
- Flash has its own local data (cookie) storage.
- You can't reliably count on cookies to be enabled by the end-user anyway.
I'm pretty sure that browsers that deny access to he headers are not many, or at least not used by a lot of people ; the JSP application, flex object and pages called through HTTPService are all on the same domain and users that disable cookies can't login into the JSP application anyway. A default behavior that works 99% of the time with a fallback on flash's own cookie manager would have been nice, but it is what it is...
Thanks for the answers.