You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by ya...@harel-ins.co.il on 2009/10/26 09:22:50 UTC

[users@httpd] RE: apche http lost session

 

Hi again I need help 

 

I have apache http 2.2 server that forward request to jboss web server (version 4.2)

I configure my http server to forward request when user login to secure page (https)

When the user login I save the user information in my session (not in a cookie!!!)

After the user success login I forward the request to non-secure page (http)

But when I try to get the user information from the session  I found that my session was lost between the pages 

(https to http)

How can I solved this ?

I can't save any information about the client in the browser because  secure issue

My web site base on java 

Thanks Yaniv

Re: [users@httpd] RE: apche http lost session

Posted by André Warnier <aw...@ice-sa.com>.

yanivo@harel-ins.co.il wrote:
>  
...
> I have apache http 2.2 server that forward request to jboss web server (version 4.2)
> I configure my http server to forward request when user login to secure page (https)
> When the user login I save the user information in my session (not in a cookie!!!)
> After the user success login I forward the request to non-secure page (http)
> But when I try to get the user information from the session  I found that my session was lost between the pages 
> (https to http)
> How can I solved this ?
> 
Someone else here already gave you a good clue.
You should probably start by reading
http://en.wikipedia.org/wiki/HTTP_cookie
and see what they have to say about "secure" cookies.
Your session data is not saved in a cookie, but the "key" to the session 
data is saved in a cookie.  The server needs that key, in order to 
retrieve the session data at the next request.
But, if that cookie is set up at a moment where the connection is HTTPS, 
then the cookie is "marked" for (secure) HTTPS.
Your browser (probably) will not send that cookie to the server at the 
next request, if that next request happens under (non-secure) HTTP.
And since then, the new request arrives to the server without the 
session-id cookie, the server thinks this is a new session.
That is what makes you think that your session "is lost".

Another suggestion : get yourself a browser add-on like HttpFox for 
Firefox, or Fiddler2 for IE.  Then run your login sequence, and 
carefully examine the HTTP headers of the requests and responses.
That will show you what is going on.
You will see "SetCookie" headers being sent by the server, and "Cookie" 
headers being sent by the browser. Or not.
Look for cookies named "JSESSIONID".


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org