You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by krusek <kr...@comcast.net> on 2008/06/05 00:29:27 UTC
Session lost when switching from https to http after upgrade to
Tomcat 6
I have Apache 2 with SSL, mod_jk connection, and Tomcat. Everything has
worked peachy from one tomcat upgrade after another. However now I upgraded
to tomcat 6 and I am loosing the session when switching from https to http
within the same domain.
For clarity, Apache 2 is handling SSL not tomcat.
Does anyone know why this is happening?
Thanks!
Kevin
--
View this message in context: http://www.nabble.com/Session-lost-when-switching-from-https-to-http-after-upgrade-to-Tomcat-6-tp17658157p17658157.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Rainer Jung <ra...@kippdata.de>.
krusek schrieb:
> We use tomcat forms authentication and it is cookies being used.
>
> There are 3 cookies, JSESSONIDSSO, test and JSESSONID.
> Not sure how you tell if its marked secure? The test cookie is for testing
> to assure cookies are enabled.
As explained below, my Firefox tells me, for which connctions (secure or
all) it uses a cookie, when I look at the cookie in my preferences.
You can also use firebug with cleared cookies and have a look at the
Set-Cookie header (the header will contain a "; secure"), or you can
sniff your network traffic on the client side with wireshark, or on the
server side with tcpdump/snoop etc. for the same header. Remember that
you clear the cookies in the client/browser before looking for the
Set-Cookie header.
> Thanks for your help!
Regards,
Rainer
> Rainer Jung-3 wrote:
>> krusek wrote:
>>> I have Apache 2 with SSL, mod_jk connection, and Tomcat. Everything has
>>> worked peachy from one tomcat upgrade after another. However now I
>>> upgraded
>>> to tomcat 6 and I am loosing the session when switching from https to
>>> http
>>> within the same domain.
>>>
>>> For clarity, Apache 2 is handling SSL not tomcat.
>>>
>>> Does anyone know why this is happening?
>> Are you using cookies for the sessions (JSESSIONID cookie) or URL
>> encoding (";jsessionid=")?
>>
>> Is some cookie flagged as being "secure"?
>> You can check how the cookie looks like e.g. using Firefox (Preferences
>> - Privacy - Cookies).
>>
>>> Thanks!
>>>
>>> Kevin
>> Regards,
>>
>> Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade to Tomcat 6
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
----- Original Message -----
From: "Johnny Kewl" <jo...@kewlstuff.co.za>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Tuesday, June 10, 2008 3:19 AM
Subject: Re: Session lost when switching from https to http after upgrade to
Tomcat 6
>
> ----- Original Message -----
> From: "Bill Davidson" <bi...@seatadvisor.com>
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Sent: Monday, June 09, 2008 7:17 PM
> Subject: Re: Session lost when switching from https to http after upgrade
> to Tomcat 6
>
>
>> Johnny Kewl wrote:
>>> Bill... Just lose the FORM authentication, replace it with DIGEST, or
>>> even BASIC.... I think all your problems will go away.
>>
>> I'm not exactly sure what you're saying. Are you saying that I shouldn't
>> be
>> authenticating through a form?
>
> Yes... Just because all your problems seem related to cookies, and FORM
> authentication relies on cookies.
> Also because I have no idea how to tell tomcat when creating the session
> to lose that secure attribute, I guess one has to override a class
> somewhere, and
> that probably just a good indication (these TC designers are guru gods, as
> clever as hell ;) that maybe moving from HTTPs to HTTP is just a bad idea.
>
> Then I started thinking about say DIGEST/BASIC authentication which does
> not work on a cookie, its going to have its own authentication headers and
> I think the browser will return those even when moving from HTTPs to
> HTTP... so now with FORM replaced with DIGEST say... its all legal.
> And its is actually safe... it would drop the session, and make a new
> one... and for the most webapps (that are not using cookies in security)
> thats no problem, cookies are free ;)
>
> So (if I'm right) FORM auth when moving from HTTPs to HTTP is bad news and
> requires a kludge, ie overriding secure cookies... and even though thats
> clever, it is a security hole... a hacker gets that cookie, they in.
>
> But... DIGEST would allow the same thing, no kludge and would be safe.
>
> Thats kinda interesting... or maybe I'm just bored ;)
>
> I dont like the idea of "fixing" it... thats all.
Heres a better way of saying it....
When a webapp moves from HTTPs to HTTP... the sessions must get a bad case
of amnesia.
Thats what the security is doing.
If DIGEST is used... it will still work (I think) even though the webapp has
a bad case of amnesia.
ie the Webapp will just start remembering state from the change over.
ok I am bored ;)
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade to Tomcat 6
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
----- Original Message -----
From: "Bill Davidson" <bi...@seatadvisor.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Tuesday, June 10, 2008 3:43 AM
Subject: Re: Session lost when switching from https to http after upgrade to
Tomcat 6
> Johnny Kewl wrote:
>> maybe moving from HTTPs to HTTP is just a bad idea.
> No doubt. However, I didn't design this app and it's not up to me.
> BTW, it's an old app. It's running on Tomcat 3.2.4 in production to
> give you an idea of its age. We want to move to a newer server
> first and then work on modernizing the app itself.
... its more just the thought that as soon as FORM auth, is used, theres
other issues that kick in.
+ You for example have the HTTPs to HTTP issue
But another query somewhere here had a similar issue where the guy was
authenticating against tomcat, and then again for static content against
apache on JK, and the FORM auth was making life difficult there as well.
Thats what I'm thinking... and it always seems to be a tricky problem when
it does show itself.
Those little sec dialogs that browsers pop up, actually take a whole lot of
potential issues out of the equation.
No critique, I'm just beginning to think pretty forms come at a cost ;)
I think I'm a DIGEST kinda guy ;)
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Bill Davidson <bi...@seatadvisor.com>.
Johnny Kewl wrote:
> maybe moving from HTTPs to HTTP is just a bad idea.
No doubt. However, I didn't design this app and it's not up to me.
BTW, it's an old app. It's running on Tomcat 3.2.4 in production to
give you an idea of its age. We want to move to a newer server
first and then work on modernizing the app itself.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade to Tomcat 6
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
----- Original Message -----
From: "Bill Davidson" <bi...@seatadvisor.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Monday, June 09, 2008 7:17 PM
Subject: Re: Session lost when switching from https to http after upgrade to
Tomcat 6
> Johnny Kewl wrote:
>> Bill... Just lose the FORM authentication, replace it with DIGEST, or
>> even BASIC.... I think all your problems will go away.
>
> I'm not exactly sure what you're saying. Are you saying that I shouldn't
> be
> authenticating through a form?
Yes... Just because all your problems seem related to cookies, and FORM
authentication relies on cookies.
Also because I have no idea how to tell tomcat when creating the session to
lose that secure attribute, I guess one has to override a class somewhere,
and
that probably just a good indication (these TC designers are guru gods, as
clever as hell ;) that maybe moving from HTTPs to HTTP is just a bad idea.
Then I started thinking about say DIGEST/BASIC authentication which does not
work on a cookie, its going to have its own authentication headers and I
think the browser will return those even when moving from HTTPs to HTTP...
so now with FORM replaced with DIGEST say... its all legal.
And its is actually safe... it would drop the session, and make a new one...
and for the most webapps (that are not using cookies in security) thats no
problem, cookies are free ;)
So (if I'm right) FORM auth when moving from HTTPs to HTTP is bad news and
requires a kludge, ie overriding secure cookies... and even though thats
clever, it is a security hole... a hacker gets that cookie, they in.
But... DIGEST would allow the same thing, no kludge and would be safe.
Thats kinda interesting... or maybe I'm just bored ;)
I dont like the idea of "fixing" it... thats all.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Bill Davidson <bi...@seatadvisor.com>.
Johnny Kewl wrote:
> Bill... Just lose the FORM authentication, replace it with DIGEST, or
> even BASIC.... I think all your problems will go away.
I'm not exactly sure what you're saying. Are you saying that I shouldn't be
authenticating through a form?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade to Tomcat 6
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
----- Original Message -----
From: "Bill Davidson" <bi...@SeatAdvisor.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Monday, June 09, 2008 12:36 AM
Subject: Re: Session lost when switching from https to http after upgrade to
Tomcat 6
> I'm confused so I'm not sure what I say below makes sense.
>
> If I'm reading these posts correctly, the cookie is issued by the front
> end
> (which is Apache web server). Since it is created on an https session, it
> is being marked as "secure". When browser switches to a non-secure
> page on the same site, that cookie is not passed because it is a secure
> cookie.
>
> Apparently, this behavior changed between Apache 1.3.x+Apache SSL
> and Apache 2.2 (mod_ssl) because my app used to work doing this with
> Apache1.3 as the front end.
>
> Is there some way to configure Apache not to mark the cookie as secure
> even if it is creating it on an https connection?
Bill... Just lose the FORM authentication, replace it with DIGEST, or even
BASIC.... I think all your problems will go away.
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
Martin wrote:
| If you're in a secure location that disallows cookies..you can always
| try url-rewrite
Dude. The container does URL rewriting without requiring other tools.
Stop confusing people with this junk.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkhO4+kACgkQ9CaO5/Lv0PAMSACgk/DW2xkIjXyLEuXw74U+fvhj
Wy0An1Vj6UpkaKbdGlAdDDwDkSNbeRoi
=mcxF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Bill Davidson <bi...@seatadvisor.com>.
Martin wrote:
> If you're in a secure location that disallows cookies..you can always
> try url-rewrite
Sorry if I seem a bit dim but I don't understand how url-rewriting
helps me with cookie problems.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade to Tomcat 6
Posted by Martin <mg...@hotmail.com>.
If you're in a secure location that disallows cookies..you can always try
url-rewrite
Tomcat
http://tuckey.org/urlrewrite/
Caucho
http://www.caucho.com/resin/doc/rewrite-tags.xtp
Apache mod_rewrite
http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html
HTH
Martin
----- Original Message -----
From: "Bill Davidson" <bi...@seatadvisor.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Monday, June 09, 2008 7:10 PM
Subject: Re: Session lost when switching from https to http after upgrade to
Tomcat 6
> BTW, I forgot to thank everyone for helping me to understand
> what this problem better. Understanding that the cookie was
> being created by Tomcat with the secure flag and that the flag
> was causing the problem was the key.
>
> Thanks everyone.
>
> --Bill Davidson
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Bill Davidson <bi...@seatadvisor.com>.
BTW, I forgot to thank everyone for helping me to understand
what this problem better. Understanding that the cookie was
being created by Tomcat with the secure flag and that the flag
was causing the problem was the key.
Thanks everyone.
--Bill Davidson
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Bill Davidson <bi...@seatadvisor.com>.
Bill Davidson wrote:
> I'm confused so I'm not sure what I say below makes sense.
>
> If I'm reading these posts correctly, the cookie is issued by the
> front end
> (which is Apache web server). Since it is created on an https
> session, it
> is being marked as "secure". When browser switches to a non-secure
> page on the same site, that cookie is not passed because it is a secure
> cookie.
I was right about one thing: I was confused.
Apparently it was actually Tomcat creating the cookie.
I've found a usable workaround. I'm having my login servlet create
and set the cookie (without setting it to secure). That seems to have
made the problem go away. I was trying to get away without changing
the app but this is a pretty minor change.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Bill Davidson <bi...@SeatAdvisor.com>.
I'm confused so I'm not sure what I say below makes sense.
If I'm reading these posts correctly, the cookie is issued by the front end
(which is Apache web server). Since it is created on an https session, it
is being marked as "secure". When browser switches to a non-secure
page on the same site, that cookie is not passed because it is a secure
cookie.
Apparently, this behavior changed between Apache 1.3.x+Apache SSL
and Apache 2.2 (mod_ssl) because my app used to work doing this with
Apache1.3 as the front end.
Is there some way to configure Apache not to mark the cookie as secure
even if it is creating it on an https connection?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by André Warnier <aw...@ice-sa.com>.
Mark Thomas wrote:
>
...
>>> The problem is that some clients (as a result of the ISP they are
>>> using) change IP with every request.
>> Off-topic : Are you sure that can really happen ? I must admit that I
>> have never seen that behaviour before, and it seems to me that it
>> would create a host of other problems (such as breaking the underlying
>> TCP sessions).
> I have never seen it but I do recall other people mentioning it as a
> potential issue previously on this list. I just did a search of the
> archives and found this thread:
> http://markmail.org/message/db5mcsyn2yj5wt44
>
Hmm. I am not familiar with proxy details, but I guess they must also
change the "Keep-alive" ougoing packets, otherwise they would end up
triggering a lot of pending sessions at the destination servers level,
and that may make some people unhappy.
Good to know and store away anyway, if ever one is faced with such
behaviour.
André
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Mark Thomas <ma...@apache.org>.
André Warnier wrote:
> Mark,
> thank you for the explanations below. And I apologise if I answered
> rather testily before.
No problem. I can be a little short too sometimes.
>> The problem is that some clients (as a result of the ISP they are
>> using) change IP with every request.
> Off-topic : Are you sure that can really happen ? I must admit that I
> have never seen that behaviour before, and it seems to me that it would
> create a host of other problems (such as breaking the underlying TCP
> sessions).
I have never seen it but I do recall other people mentioning it as a
potential issue previously on this list. I just did a search of the
archives and found this thread:
http://markmail.org/message/db5mcsyn2yj5wt44
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Mark Thomas <ma...@apache.org>.
Christopher Schultz wrote:
>
> André,
>
> André Warnier wrote:
> | thank you for the explanations below. And I apologise if I answered
> | rather testily before.
>
> It happens. Just remember that Mark happens to be a Tomcat dev, so he's
> in a position to know the Truth ;)
Not that that means I am always right. There is plenty of evidence of my
errors in the archive ;)
Of course, this being open source anyone is free to look at the source code
and discover the 'real' truth.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
André Warnier wrote:
| thank you for the explanations below. And I apologise if I answered
| rather testily before.
It happens. Just remember that Mark happens to be a Tomcat dev, so he's
in a position to know the Truth ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkhO4tQACgkQ9CaO5/Lv0PCclQCfc8JZPaLlHxQzs7efU6cn+MkX
4sQAnj6OrlWOyJN4fKwCwmryZuGIIK7x
=4uNr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
Sorry, one more comment:
André Warnier wrote:
| Off-topic : Are you sure that can really happen ? I must admit that I
| have never seen that behaviour before, and it seems to me that it would
| create a host of other problems (such as breaking the underlying TCP
| sessions).
This absolutely used to be the case with AOLers. At [unnamed major CA
company], we had a completely separate instance of one of our
applications that was customized /just/ for AOL users, and it included
tolerance for the old IP-address switcheroo.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkhO41EACgkQ9CaO5/Lv0PB2CwCgpOx10EFFOLxVPooxBV3t5JXE
6EIAmwfhh+1xMGGJoQNZARHu0rRRF0No
=kDRo
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by André Warnier <aw...@ice-sa.com>.
Mark,
thank you for the explanations below. And I apologise if I answered
rather testily before.
Mark Thomas wrote:
>
> André Warnier wrote:
>> Mark Thomas wrote:
>>> André Warnier wrote:
>>>> A lot of speculation here, but who knows ?
>>> Indeed. And it is all wrong.
>> Is that proven, or mere speculation on your part ?
> That is fact. In the cases where Tomcat does do an internal redirect it
> uses a RequestDispatcher.forward()
>
>>>> To my knowledge, there exists no case where the browser would not
>>>> send a cookie with every request, if it has it and it is valid.
>>> Well, there is the obvious example Rainer has already given of
>>> cookies marked as secure.
>> Which I mentioned, as one of the cases where a browser would not send
>> the cookie. But I don't think that a cookie sent by the browser over
>> a secure connection is necessarily marked as "secure". That is a
>> attribute of the cookie, decided by the cookie creator.
> The OP is asking about the session cookie which is created by Tomcat.
> When the session is created under https, the cookie is marked as secure.
>
>> Given that the session is created under https this is
>>> probably what is happening. Sessions are not maintained in
>>> transitions from https to http.
>> I think that you may err here. Are you not confusing sessions and
>> cookies ?
> This is just semantics. The cookie is secure. A secure cookie will not
> be sent over http. From both the user's and the application's
> perspective the session is lost.
>
>> Is is really the session that is gone at the server side ?
> No. It is still there. Switching back to https should restore the session.
>
>> Or is it that the session is still there, but the absence (in the
>> browser request) of the cookie containing the session-id does not
>> allow the server to reconnect the request with the still-existing
>> session ?
>> I thought that this last was the problem originally mentioned.
> That sums it up pretty well.
>
>> It must be easy to distinguish between these two cases at the server
>> side : either there is no cookie, or there is a cookie but the
>> cookie-id it contains does not allow to reconnect validly to an
>> existing session.
>> Which is it ?
> It is the first. There is no cookie sent from the browser.
>
>> There is something else that tickles my memory : in a previous
>> message, krusek said : "For clarity, Apache 2 is handling SSL not
>> tomcat. "
>> If so, does Tomcat even know that there is an SSL/HTTPS part ?
> Yes. mod_jk passes that info along. It will also pass on any client
> certificates if httpd has been configured for certificate authentication.
>
>> I mean, the connection between Apache and Tomcat via mod_jk, if they
>> are all on the same host, has no particular reason to be SSL, or is it ?
> The connection uses the AJP protocol. mod_jk doesn't support any form of
> encryption for this link. There are ways of encrypting this if you need to.
>
>>> If you need to protect the session creation with https then you
>>> should almost certainly be providing the same level of protection for
>>> the session ID.
>> Well, not necessarily. I know you refer to a previous thread
>> somewhere, but I beg to differ. You may be wanting to protect via
>> HTTPS the exchange of a user-id and password over the Internet. But
>> once that is done, the session data on the server probably contains
>> other elements, sufficient to ensure that it is not someone else
>> sending this same session-id.
> This could be implemented by the application but usually isn't. The most
> often referred to solution uses the client IP as an added check. The
> problem is that some clients (as a result of the ISP they are using)
> change IP with every request.
Off-topic : Are you sure that can really happen ? I must admit that I
have never seen that behaviour before, and it seems to me that it would
create a host of other problems (such as breaking the underlying TCP
sessions).
>
>> The application may be trivial, but not the user's password.
> If the functionality is important enough to protect with a password over
> SSL then the session ID, which for most applications will give access to
> that functionality, should usually be protected in the same way. There
> will be some exceptions to this. Protected the session by other means is
> one possibility.
>
> To get back to the OPs question. The behaviour seen is entirely
> expected. Like Len, I am more concerned that it wasn't seen in previous
> versions.
>
Without meaning any disrespect to anyone, it is in my experience a
rather frequent occurrence that someone would say that "nothing else
than a xxx update was made, and the consequence is yyy", and
overlook/not think it important to mention, that something else was also
done simultaneously. I have been guilty of the same sin.
Since according to Mark's explanation above, there is a rational
explanation of why the session-id-bearing cookies, although present in
the browser cache, are not being sent anymore after the session switches
back from HTTPS to HTTP, and since that behaviour is not new and has in
fact nothing to do with Tomcat directly, the logical inference is that
there must have been something else changed compared to before, when it
was working.
In other words, original submitter, out with it : what else apart from
the Tomcat update was done ? Was the session pages layout, ever so
slightly, also modified maybe ?
André
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lloyd,
DIGLLOYD INC wrote:
| What is a viable workaround for switching to http from https once
| the user is authenticated?
Simple: make sure that the user has a session before you switch into
HTTPS mode.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkiWgFEACgkQ9CaO5/Lv0PCKXwCfdxyllD2dSk/yyGVl4nfoV5Yp
2wMAoIYP9G645LdAYkeF/hKXfK+zUsqa
=oT7H
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade to Tomcat 6
Posted by DIGLLOYD INC <di...@diglloyd.com>.
I've been having the same issues others have been asking about. This
discussion has been useful, but...
===> What is a viable workaround for switching to http from https once
the user is authenticated? And is that idea unreasonable (see use
case below).
My main concern is that sending large amounts of static content over
https (large JPEGs in particular) will cause an undue load on the
server, as opposed to 'http'.
Here is my use case:
1. The user's password should be protected over https when logging
in. Ditto for the user's home page.
2. Once logged in, a large amount of static content (html, large
JPEGs, etc) is available to that user. None of it is of a sensitive
nature.
3. While it's true that the sessionid could be hijacked, an attacker
would need the user's actual password to do anything malicious; there
isn't any sensitive user data, just access to content. So having
sessionid travel over plain http would be fine.
Lloyd Chambers
http://diglloyd.com
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]
On Jun 7, 2008, at 3:40 AM, Mark Thomas wrote:
>>
>> The application may be trivial, but not the user's password.
> If the functionality is important enough to protect with a password
> over SSL then the session ID, which for most applications will give
> access to that functionality, should usually be protected in the
> same way. There will be some exceptions to this. Protected the
> session by other means is one possibility.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Mark Thomas <ma...@apache.org>.
André Warnier wrote:
> Mark Thomas wrote:
>> André Warnier wrote:
>>> A lot of speculation here, but who knows ?
>> Indeed. And it is all wrong.
> Is that proven, or mere speculation on your part ?
That is fact. In the cases where Tomcat does do an internal redirect it
uses a RequestDispatcher.forward()
>>> To my knowledge, there exists no case where the browser would not
>>> send a cookie with every request, if it has it and it is valid.
>> Well, there is the obvious example Rainer has already given of cookies
>> marked as secure.
> Which I mentioned, as one of the cases where a browser would not send
> the cookie. But I don't think that a cookie sent by the browser over a
> secure connection is necessarily marked as "secure". That is a
> attribute of the cookie, decided by the cookie creator.
The OP is asking about the session cookie which is created by Tomcat. When
the session is created under https, the cookie is marked as secure.
> Given that the session is created under https this is
>> probably what is happening. Sessions are not maintained in transitions
>> from https to http.
> I think that you may err here. Are you not confusing sessions and
> cookies ?
This is just semantics. The cookie is secure. A secure cookie will not be
sent over http. From both the user's and the application's perspective the
session is lost.
> Is is really the session that is gone at the server side ?
No. It is still there. Switching back to https should restore the session.
> Or is it that the session is still there, but the absence (in the
> browser request) of the cookie containing the session-id does not allow
> the server to reconnect the request with the still-existing session ?
> I thought that this last was the problem originally mentioned.
That sums it up pretty well.
> It must be easy to distinguish between these two cases at the server
> side : either there is no cookie, or there is a cookie but the cookie-id
> it contains does not allow to reconnect validly to an existing session.
> Which is it ?
It is the first. There is no cookie sent from the browser.
> There is something else that tickles my memory : in a previous message,
> krusek said : "For clarity, Apache 2 is handling SSL not tomcat. "
> If so, does Tomcat even know that there is an SSL/HTTPS part ?
Yes. mod_jk passes that info along. It will also pass on any client
certificates if httpd has been configured for certificate authentication.
> I mean, the connection between Apache and Tomcat via mod_jk, if they are
> all on the same host, has no particular reason to be SSL, or is it ?
The connection uses the AJP protocol. mod_jk doesn't support any form of
encryption for this link. There are ways of encrypting this if you need to.
>> If you need to protect the session creation with https then you should
>> almost certainly be providing the same level of protection for the
>> session ID.
> Well, not necessarily. I know you refer to a previous thread somewhere,
> but I beg to differ. You may be wanting to protect via HTTPS the
> exchange of a user-id and password over the Internet. But once that is
> done, the session data on the server probably contains other elements,
> sufficient to ensure that it is not someone else sending this same
> session-id.
This could be implemented by the application but usually isn't. The most
often referred to solution uses the client IP as an added check. The
problem is that some clients (as a result of the ISP they are using) change
IP with every request.
> The application may be trivial, but not the user's password.
If the functionality is important enough to protect with a password over
SSL then the session ID, which for most applications will give access to
that functionality, should usually be protected in the same way. There will
be some exceptions to this. Protected the session by other means is one
possibility.
To get back to the OPs question. The behaviour seen is entirely expected.
Like Len, I am more concerned that it wasn't seen in previous versions.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by André Warnier <aw...@ice-sa.com>.
Mark Thomas wrote:
>
> André Warnier wrote:
>> A lot of speculation here, but who knows ?
> Indeed. And it is all wrong.
Is that proven, or mere speculation on your part ?
>
>> To my knowledge, there exists no case where the browser would not send
>> a cookie with every request, if it has it and it is valid.
> Well, there is the obvious example Rainer has already given of cookies
> marked as secure.
Which I mentioned, as one of the cases where a browser would not send
the cookie. But I don't think that a cookie sent by the browser over a
secure connection is necessarily marked as "secure". That is a
attribute of the cookie, decided by the cookie creator.
Given that the session is created under https this is
> probably what is happening. Sessions are not maintained in transitions
> from https to http.
I think that you may err here. Are you not confusing sessions and cookies ?
Is is really the session that is gone at the server side ?
Or is it that the session is still there, but the absence (in the
browser request) of the cookie containing the session-id does not allow
the server to reconnect the request with the still-existing session ?
I thought that this last was the problem originally mentioned.
It must be easy to distinguish between these two cases at the server
side : either there is no cookie, or there is a cookie but the cookie-id
it contains does not allow to reconnect validly to an existing session.
Which is it ?
There is something else that tickles my memory : in a previous message,
krusek said : "For clarity, Apache 2 is handling SSL not tomcat. "
If so, does Tomcat even know that there is an SSL/HTTPS part ?
I mean, the connection between Apache and Tomcat via mod_jk, if they are
all on the same host, has no particular reason to be SSL, or is it ?
(that is ignorance on my part, I really don't know)
>
> If you need to protect the session creation with https then you should
> almost certainly be providing the same level of protection for the
> session ID.
Well, not necessarily. I know you refer to a previous thread somewhere,
but I beg to differ. You may be wanting to protect via HTTPS the
exchange of a user-id and password over the Internet. But once that is
done, the session data on the server probably contains other elements,
sufficient to ensure that it is not someone else sending this same
session-id.
The application may be trivial, but not the user's password.
>
> Mark
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Mark Thomas <ma...@apache.org>.
André Warnier wrote:
> A lot of speculation here, but who knows ?
Indeed. And it is all wrong.
> To my knowledge, there exists no case where the browser would not send a
> cookie with every request, if it has it and it is valid.
Well, there is the obvious example Rainer has already given of cookies
marked as secure. Given that the session is created under https this is
probably what is happening. Sessions are not maintained in transitions from
https to http.
If you need to protect the session creation with https then you should
almost certainly be providing the same level of protection for the session ID.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by André Warnier <aw...@ice-sa.com>.
Hi.
A couple of emails ago, I think you showed the code that was doing a
redirect, and said that that was where it seemed to be "losing the cookie".
Let me get back to a couple of my oen emails ago, just to set matters
straight : a cookie is "a browser thing". If the browser has never seen
the cookie, it can never send it back on a subsequent request, right ?
I wonder if the re-direct you are doing, from the HTTPS to the HTTP
server, would not by any chance be some kind of purely internal
redirect, without going to the browser at all.
So that the HTTPS part "thinks" it is setting a cookie, but in fact the
browser never gets that response, so the browser never gets the cookie.
That may be hidden somewhere in the code that is being called to do the
redirect, and which under earlier versions may have done an external
redirect (with a back-and-forth through the browser), but which now has
become purely internal.
A lot of speculation here, but who knows ?
Now, I know I am being a pain, but you have a puzzling problem, and
sometimes it is the obvious things that one does not see.
So let me again insist : a cookie is a browser thing.
If you open your browser and navigate to a server, and at some point
this server sends back a response with a cookie, the browser will
*always* send back that cookie on any subsequent request to the same
server, unless :
- the browser is set to ignore cookies
- it never received the cookie in the first place
- the user manually (or programmatically) deletes the cookie from the
browser cookie store.
- you close the browser, and the cookie was "for the session only".
The next time you open the browser, the cookie is gone then.
- the cookie expires (expiration date/time is past)
- the cookie has been re-sent in the meantime by the server, with a
date/time such that it has expired (that's the same as the previous
case, except that here it is the server that decided at some point to
"expire" the cookie, by updating it)
- the cookie is marked "secure" (HTTPS-only), and you are not (or no
longer) on an HTTPS connection.
To my knowledge, there exists no case where the browser would not send a
cookie with every request, if it has it and it is valid.
(So for instance, make sure that the code which is setting the cookie,
has not changed so that now it is still setting a cookie, but one that
is immediately expired.)
And one more :
When a server sends a cookie to a browser, it happens by means of a HTTP
header in a response to the browser. This HTTP header is
"Set-Cookie:(cookie value)"
When a browser sends a cookie to a server, it happens by means of a HTTP
header joined to a request. The header then is
"Cookie: (cookie-value)".
So, if by some circumstance that I cannot really fathom, the server
would compose a response with a cookie, it would do it by adding a HTTP
header "Set-Cookie". If that response would be short-circuited and go
back right into the server, the input side of the server would not see
this cookie, because it does not arrive in a "Cookie" header.
André
krusek wrote:
> We use tomcat forms authentication and it is cookies being used.
>
> There are 3 cookies, JSESSONIDSSO, test and JSESSONID.
> Not sure how you tell if its marked secure? The test cookie is for testing
> to assure cookies are enabled.
>
> Thanks for your help!
>
>
>
>
> Rainer Jung-3 wrote:
>> krusek wrote:
>>> I have Apache 2 with SSL, mod_jk connection, and Tomcat. Everything has
>>> worked peachy from one tomcat upgrade after another. However now I
>>> upgraded
>>> to tomcat 6 and I am loosing the session when switching from https to
>>> http
>>> within the same domain.
>>>
>>> For clarity, Apache 2 is handling SSL not tomcat.
>>>
>>> Does anyone know why this is happening?
>> Are you using cookies for the sessions (JSESSIONID cookie) or URL
>> encoding (";jsessionid=")?
>>
>> Is some cookie flagged as being "secure"?
>> You can check how the cookie looks like e.g. using Firefox (Preferences
>> - Privacy - Cookies).
>>
>>> Thanks!
>>>
>>> Kevin
>> Regards,
>>
>> Rainer
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade to Tomcat 6
Posted by Len Popp <le...@gmail.com>.
On Fri, Jun 6, 2008 at 15:11, krusek <kr...@comcast.net> wrote:
> There are 3 cookies, JSESSONIDSSO, test and JSESSONID.
> Not sure how you tell if its marked secure?
Some browsers can tell you this. Check your browser's documentation.
But what I don't understand is why it "worked" before - I thought that
session cookies were *supposed* to be dropped when going from HTTPS to
HTTP.
Ref: http://marc.info/?l=tomcat-user&m=112370795230194&w=2
--
Len
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade to
Tomcat 6
Posted by krusek <kr...@comcast.net>.
We use tomcat forms authentication and it is cookies being used.
There are 3 cookies, JSESSONIDSSO, test and JSESSONID.
Not sure how you tell if its marked secure? The test cookie is for testing
to assure cookies are enabled.
Thanks for your help!
Rainer Jung-3 wrote:
>
> krusek wrote:
>> I have Apache 2 with SSL, mod_jk connection, and Tomcat. Everything has
>> worked peachy from one tomcat upgrade after another. However now I
>> upgraded
>> to tomcat 6 and I am loosing the session when switching from https to
>> http
>> within the same domain.
>>
>> For clarity, Apache 2 is handling SSL not tomcat.
>>
>> Does anyone know why this is happening?
>
> Are you using cookies for the sessions (JSESSIONID cookie) or URL
> encoding (";jsessionid=")?
>
> Is some cookie flagged as being "secure"?
> You can check how the cookie looks like e.g. using Firefox (Preferences
> - Privacy - Cookies).
>
>> Thanks!
>>
>> Kevin
>
> Regards,
>
> Rainer
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Session-lost-when-switching-from-https-to-http-after-upgrade-to-Tomcat-6-tp17658157p17699292.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Rainer Jung <ra...@kippdata.de>.
krusek wrote:
> I have Apache 2 with SSL, mod_jk connection, and Tomcat. Everything has
> worked peachy from one tomcat upgrade after another. However now I upgraded
> to tomcat 6 and I am loosing the session when switching from https to http
> within the same domain.
>
> For clarity, Apache 2 is handling SSL not tomcat.
>
> Does anyone know why this is happening?
Are you using cookies for the sessions (JSESSIONID cookie) or URL
encoding (";jsessionid=")?
Is some cookie flagged as being "secure"?
You can check how the cookie looks like e.g. using Firefox (Preferences
- Privacy - Cookies).
> Thanks!
>
> Kevin
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Bill Davidson <bi...@seatadvisor.com>.
krusek wrote:
> I have Apache 2 with SSL, mod_jk connection, and Tomcat. Everything has
> worked peachy from one tomcat upgrade after another. However now I upgraded
> to tomcat 6 and I am loosing the session when switching from https to http
> within the same domain.
>
> For clarity, Apache 2 is handling SSL not tomcat.
>
> Does anyone know why this is happening?
>
I appear to be having the exact same problem. If I figure it out, I'll
reply
here. Likewise, please let us know if you figure it out.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org