Tomcat 5.5 JSESSIONID gets overwritten with same value but flaged 'secure' when switching from http to https

[Kupferschmid Christian <Ch...@ticketcorner.com>]

Hi

We are trying to get around the following problem:

We have a bunch of apaches running mod_jk in front of an JBoss farm. The
application requires a login to get a valid session. 

Research in the Internet has schown the information the in oder to
maintain a session over http and https the JSESSIONID must be
established during an http reqeust. This is to get the cookie not marked
as 'secure', so the the browser can send the cookie over both
connections (http and https).

So we provide the login page in http delivered out of the tomcat, thus
getting an JSESSIONID with 'secure=no'. The following POST then uses
https to transport the username and password for login.

What we see now is that when the session switches from http to https the
JSESSIONID cookie gets overwritten with the same value (the ID) but the
secure flag is now set to 'true'. The user gets then dropped out of his
session when the application switches back to http.

The flow is like this:
http (cookie gets set with flag 'secure=no') -> https (cookie gets reset
with flag 'secure=yes') -> http (session context gets lost, due to
browser does not send the jsessionid cookie to the server)


How can we prevent to get the cookie reset with 'secure=yes' when
switching to https and already having a established sessionid?

Help would be appretiated.

With kind regards,

christian kupferschmid