RE: passing a session from non-SSL to SSL (fwd)

[Milt Epstein <me...@uiuc.edu>]

This thread was started on the list a few days ago.  John Turner and I
exchanged a message or two on it that unintentionally weren't posted
to the list.  I'm reposting them to the list now, in case they might
be of interest to anyone, or anyone would like to add their own comments.

Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
mepstein@uiuc.edu

---------- Forwarded message ----------
From: Milt Epstein
To: Turner, John
Sent: 9/8/02 12:18 AM
Subject: RE: passing a session from non-SSL to SSL

On Sat, 7 Sep 2002, Turner, John wrote:

> But wait...Joshua is using mod_jk, which means Tomcat isn't involved
> in the SSL communication...everything Tomcat is getting is
> unencrypted across the connector port (8009).  Tomcat isn't flipping
> between 8080 and 8443, or even 80 and 443.  Why shouldn't the
> sessions be the same?  I haven't looked at the AJP spec, but it
> would seem to me that there's no way Tomcat would know the request
> was sent to Apache on 80 or 443.

Well, I did say I wasn't sure of all the technical issues involved :-).
What you bring up may make a difference.

However, typically sessions are handled by cookies, and cookies do
have a "secure" field, and the AJP13 connector does set that field (I
just checked the source), and that could make a difference.  That is,
the browser may not send a cookie whose secure field is set on http
requests (and vice-versa with https).  In fact, that may be the entire
issue with sessions and switching between SSL and non-SSL.

Not sure what would happen if URL-Rewriting is used for sessions
instead of cookies.


> -----Original Message-----
> From: Milt Epstein
> To: Tomcat Users List
> Sent: 9/7/02 11:32 PM
> Subject: Re: passing a session from non-SSL to SSL
>
> On Fri, 6 Sep 2002, Joshua Szmajda wrote:
>
> > Hi all,
> >
> >     I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and
> > I'm noticing that my application is now losing track of its sessions
> > when I switch from non-SSL to SSL. The code worked fine in Tomcat
> > 3.2.. I was wondering if there's something I'm missing. My
> > server.xml has a single Ajp13 connector and a plain vanilla host /
> > context configuration. I've JKMount'ed /* to ajp13 in apache on both
> > the normal and SSL virtual hosts.
> >
> >     I'm sure it's something in the spec that's changed, but I can't
> > for the life of me find out what. Changing the code is possible, but
> > preferably avoidable as I didn't write it.
>
> It's well known that Tomcat does not preserve sessions when switching
> from SSL to non-SSL (and/or vice-versa).  Don't know about earlier
> versions, but that's true of the current version.  You can check the
> archives to see where others have brought this up.
>
> I don't think this is a spec issue, so I guess either it was an
> implementation choice by the Tomcat developers or perhaps there's no
> way (or no easy way) around it.  If it was an implementation choice, I
> don't know what it was based on.  I believe there are other servlet
> containers that you can set up so that such switching does not lose
> sessions.  I'm not sure of all the technical issues involved.
>
> Also note that some will say that it doesn't make sense to switch back
> and forth between SSL and non-SSL because security is compromised.
>

Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
mepstein@uiuc.edu


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>