You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bob Feretich <bo...@prodigy.net> on 2005/05/01 10:48:52 UTC
Re: Session lost when switching from https to http in Tomcat 5.
Tomcat (starting with Tomcat 4) stores the JSESSIONID cookie as a
"secure" cookie that is tagged for port 443 (or 8443) when the session
begins under HTTPS. Browsers are not allowed to send secure cookies
under plain HTTP, so your session is lost. For Tomcat 4 or 5 you must
start your session under HTTP, then switch to HTTPS to maintain a
session across both. Tomcat 3 had a config.xml option to always store
JSESSIONID as non-secure. It's a long story. See the mailing list
archive for the rants. In the its current state, Tomcat's implementation
does not agree with published "Best Practices" and the *proposed* "State
Management" standard, but the decision was made to err on the side of
security.
I have modified Tomcat 4 to permit sessions that span HTTP and HTTPS.
The changes are not difficult, but you must implement your own mechanism
to prevent session hijacking. Non-secure JSESSIONID cookies create a
security hole.
The committees are supposed address the security vs. state management
issue in the next Servlet Spec.
Regards,
Bob Feretich
> I have a servlet/JSP application in which users establish their
> servlet session using https but conduct the rest of their
> interactions using http. The session appears not to be preserved
> between https and http, ie. after switching from back to http the
> request.getSession(false) call returns null. Can anyone shed light on
> this for me? Is this expected? Is there a
> workaround/configuration/setting in Tomcat 5 I might have missed?
>
> Thanks
>
> Anthony
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Session lost when switching from https to http in Tomcat 5.
Posted by Anhony <an...@comcast.net>.
Greetings,
Your help is greatly appreciated, I have hade a devil of a time with this. I
am glad to know this was not caused by an error in my code.
Again, thanks very much for your help.
Best Regards,
Anthony-
----- Original Message -----
From: "Bob Feretich" <bo...@prodigy.net>
To: <an...@comcast.net>; <to...@jakarta.apache.org>
Sent: Sunday, May 01, 2005 4:48 AM
Subject: Re: Session lost when switching from https to http in Tomcat 5.
> Tomcat (starting with Tomcat 4) stores the JSESSIONID cookie as a "secure"
> cookie that is tagged for port 443 (or 8443) when the session begins under
> HTTPS. Browsers are not allowed to send secure cookies under plain HTTP,
> so your session is lost. For Tomcat 4 or 5 you must start your session
> under HTTP, then switch to HTTPS to maintain a session across both. Tomcat
> 3 had a config.xml option to always store JSESSIONID as non-secure. It's
> a long story. See the mailing list archive for the rants. In the its
> current state, Tomcat's implementation does not agree with published "Best
> Practices" and the *proposed* "State Management" standard, but the
> decision was made to err on the side of security.
>
> I have modified Tomcat 4 to permit sessions that span HTTP and HTTPS. The
> changes are not difficult, but you must implement your own mechanism to
> prevent session hijacking. Non-secure JSESSIONID cookies create a security
> hole.
>
> The committees are supposed address the security vs. state management
> issue in the next Servlet Spec.
>
> Regards,
> Bob Feretich
>
>> I have a servlet/JSP application in which users establish their
>> servlet session using https but conduct the rest of their
>> interactions using http. The session appears not to be preserved
>> between https and http, ie. after switching from back to http the
>> request.getSession(false) call returns null. Can anyone shed light on
>> this for me? Is this expected? Is there a
>> workaround/configuration/setting in Tomcat 5 I might have missed?
>>
>> Thanks
>>
>> Anthony
>>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org