You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-user@axis.apache.org by "G, Sreenivasa (MED)" <Sr...@geind.ge.com> on 2002/08/09 05:48:18 UTC

Session lost when switched from http to https

Hi,

I working on an application where I do authentication usinh HTTPs and put
the user inforrmation in session. But when I switch to HTTP, session
information is lost. Please let know if any body knows how to maintains
session information between http & https.

thanks,
--sreeni 


"THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE
ADDRESSEE and may contain confidential and privileged information.
If the reader of this message is not the intended recipient,
you are notified that any dissemination, distribution or copy of this 
communication is strictly Prohibited. 
If you have received this message by error, please notify us 
immediately, return the original mail to the sender and delete the 
message from your system."

Re: Session lost when switched from http to https

Posted by Dennis Sosnoski <dm...@sosnoski.com>.

The issue of http vs. https is an interesting one, and I don't think the 
proper handling is as clear as this indicates. The cookie handling 
specifications talk about matching URIs to determine when a cookie 
should be sent, and the scheme prefix is part of the URI. But HTTPS is 
not recognized as a separate prefix in URIs, presumably because it's 
just shorthand for HTTP over a secure socket connection.

Cookies include a "secure" flag that should be set when the cookie is 
only supposed to be sent over a secure connection. Netscape, which 
originated cookies, used this flag to control whether a cookie would be 
sent over both HTTP and HTTPS connections or only over HTTPS 
connections. I know early versions of IE broke this behavior and would 
only send cookies over the same type of connection on which they'd 
originally been received. I don't know if IE ever corrected this 
behavior; if not, it may have become the monopoly-enforced "standard".

I haven't looked at the Axis code for this, but for a proper 
implemenation it should definitely provide a way for the user to control 
whether the cookie is sent with a "secure" flag, and should probably use 
the "secure" flag setting to determine whether a cookie is sent for both 
HTTP and HTTPS (no secure flag) or only over HTTPS (secure flag) 
connections.

  - Dennis

 http://wp.netscape.com/newsref/std/cookie_spec.html
 http://www.w3.org/Protocols/rfc2109/rfc2109
 http://www.w3.org/Addressing/URL/uri-spec.html

Martin Jericho wrote:

>This isn't possible.  The client keeps track of the session via a cookie,
>which is stored against a particular base url.  When you change protocols,
>the base url has changed and it is not allowed to send it.
>The best thing to do would be to use https all the time.
>
>----- Original Message -----
>From: "G, Sreenivasa (MED)" <Sr...@geind.ge.com>
>To: <ax...@xml.apache.org>
>Sent: Friday, August 09, 2002 1:48 PM
>Subject: Session lost when switched from http to https
>
>
>  
>
>>Hi,
>>
>>I working on an application where I do authentication usinh HTTPs and put
>>the user inforrmation in session. But when I switch to HTTP, session
>>information is lost. Please let know if any body knows how to maintains
>>session information between http & https.
>>
>>thanks,
>>--sreeni
>>
>>
>>"THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE
>>ADDRESSEE and may contain confidential and privileged information.
>>If the reader of this message is not the intended recipient,
>>you are notified that any dissemination, distribution or copy of this
>>communication is strictly Prohibited.
>>If you have received this message by error, please notify us
>>immediately, return the original mail to the sender and delete the
>>message from your system."
>>
>>
>>    
>>
>
>  
>

Re: Session lost when switched from http to https

Posted by Martin Jericho <ma...@radiocity.com.au>.

This isn't possible.  The client keeps track of the session via a cookie,
which is stored against a particular base url.  When you change protocols,
the base url has changed and it is not allowed to send it.
The best thing to do would be to use https all the time.

----- Original Message -----
From: "G, Sreenivasa (MED)" <Sr...@geind.ge.com>
To: <ax...@xml.apache.org>
Sent: Friday, August 09, 2002 1:48 PM
Subject: Session lost when switched from http to https


> Hi,
>
> I working on an application where I do authentication usinh HTTPs and put
> the user inforrmation in session. But when I switch to HTTP, session
> information is lost. Please let know if any body knows how to maintains
> session information between http & https.
>
> thanks,
> --sreeni
>
>
> "THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE
> ADDRESSEE and may contain confidential and privileged information.
> If the reader of this message is not the intended recipient,
> you are notified that any dissemination, distribution or copy of this
> communication is strictly Prohibited.
> If you have received this message by error, please notify us
> immediately, return the original mail to the sender and delete the
> message from your system."
>
>