You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Darian Shimy <Da...@eharmony.com> on 2005/11/04 23:17:37 UTC
FIX: Session lost from HTTPS to HTTP and Redirect warning from IE
I sent this email to the ssl-ext list last week and never got a
response. A moderator needed to approve it due to its size and since
there isn't too much activity on that list anymore, it may be lost in a
spam filter somewhere.
Nonetheless, in case anyone on this list is interested, here is the
email....
________________________________
From: Darian Shimy
Sent: Friday, October 28, 2005 11:27 AM
To: 'sslext-user@lists.sourceforge.net'
Subject: FIX: Session lost from HTTPS to HTTP and Redirect warning from
IE
I had some problems when a session was created in HTTPS and user went to
HTTP. There are security issues with this, however, if you want this
functionality to work, I attached a patch (I appologize for the CVS
Keyword expansion) for the changes which include:
1. Changed variable names from enum to enumeration in
SecureRequestUtils for JDK 1.5 compatibility.
2. Added a class SecureSessionFilter that will add a session cookie
with the session ID when switching from HTTPS to HTTP if the user's
session was not used from a cookie. This resolves the problem when a
session is created in HTTPS and the user tries to navigate to HTTP the
session is lost. The work around before this filter was to put the
session ID on all URLS which has other consequences. To use this
feature the addSessionHttp property must be true.
3. Added the ability to switch from HTTPS to HTTP with a
client-side redirect instead of a 302 redirect. This solved the problem
with Internet Explorer complaining the data submitted using a secure
page was sent to an insecure page.
For the above changes I added two configuration parameters to the
SecurePlugInInterface:
1. addSessionHttp - This boolean value must be set to true for the
system to add the session ID to the URL when going from HTTPS to HTTP.
The default is true.
2. httpRedirectPage - This is a JSP page in the webapp that the
system will redirect the user to when we need a redirect from HTTPS to
HTTP and we don't want the nag screen.
Sample struts-config.xml fragment:
<plug-in className="org.apache.struts.action.SecurePlugIn">
<set-property property="httpPort" value="80"/>
<set-property property="httpsPort" value="443"/>
<set-property property="enable" value="true"/>
<set-property property="addSession" value="false"/>
<set-property property="addSessionHttp" value="true"/>
<set-property property="httpRedirectPage"
value="/redirect.jsp"/>
</plug-in>
Sample web.xml fragment for filter:
<filter>
<filter-name>SessionProtocolFilter</filter-name>
<filter-class>org.apache.struts.util.SecureSessionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SessionProtocolFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Sample HTTP Redirect Page:
<%@ page import="org.apache.struts.action.SecurePlugInInterface"%>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<script language="JavaScript" type="text/javascript">
<!--window.location.replace("<%=request.getAttribute(SecurePlugInInterfa
ce.SSLEXT_REDIRECT_URL) %>");
// -->
</script>
<title>Please wait...</title>
<meta http-equiv="Refresh" content="0;
url=<%=request.getAttribute(SecurePlugInInterface.SSLEXT_REDIRECT_URL)
%>">
</head>
<body>
If you are seeing this page, your browser settings prevent you
from automatically redirecting to a new URL.
<p>
Please <a
href="<%=request.getAttribute(SecurePlugInInterface.SSLEXT_REDIRECT_URL)
%>">click here</a> to continue.
</body>
</html>
Let me know if you have any questions.