You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Manuel Mall <MM...@arcus.com.au> on 2002/03/27 02:58:45 UTC
RE: Tomcat 4/SSL/mod_webapp - losing session data when switching
to SSL
Les,
see the recent messages with the subject "Session lost when switching from
https to http in Tomcat 4".
This behaviour seems to be a Tomcat 4 feature, ie. Tomcat 4 appears to be
using a different JSESSIONID for secure and non-secure sessions.
Manuel
-----Original Message-----
From: Les Hazlewood [mailto:les@hazlewood.com]
Sent: Wednesday, 27 March 2002 9:46
To: tomcat-user@jakarta.apache.org
Subject: Tomcat 4/SSL/mod_webapp - losing session data when switching to
SSL
Hello folks...
I have something that I'm just completely stumped on....while Google has
been my best friend the last 5 hours, I still haven't found a solution.
The problem:
When going from http://mydomain/whatever.jsp
to
https://mydomain/secureArea/anything.jsp
Funny things happen.
Basically...this is the scenario:
A user goes from an unsecure page to the secure area (https), and logs in.
Upon succes, I populate the user object (session accessible bean) with all
the yummy info I need (user_id, name, etc).
When I go BACK to an http url from the secure https part, I don't have my
session data for that user anymore :(
I actually checked my database where I store session id's, and when they go
from http to https to log in, Tomcat creates a new session, thereby blanking
out my session I created previously.
I'm using Apache, and I have Tomcat integrated as the backend jsp/servlet
processor using mod_webapp to connect to tomcat.
In Apache, the website has two virtual host entries (one for port 80, one
for port 443), which is needed by apache to distinguish what protocol to use
& when. In Tomcat's server.xml the site has just one context declared
within a <host> attribute for that site. Both of these virtual hosts
directives connect to the same webapp connector for this Context when
passing requests to Tomcat 4.
In Tomcat's server.xml, I have the Apache Tomcat connector defined, and I
have included the secure="true" attribute to allow for secure connecting.
I need Tomcat to use the same session when accessing any page on the
site...over http or https. How can I make this happen?
Am I configuring the virtual hosts in Apache incorrectly? (I don't think so,
but if there is some slick way to have one virtual host listen to 2 port
numbers in Apache from one vhost declaration, I'm all ears).
Do I need another webapp connection to tomcat instead of using just one? One
for http requests, one for https requests? I don't think this is correct
either, since it says in the Tomcat documentation that Tomcat doesn't have
to know about the connections if a server like Apache/IIS is already doing
the ssl encryption/decryption stuff prior to sending stuff to Tomcat (which
is what is happening).
Do I have to do anything with the portRedirect attribute in the
Apache-Tomcat connector? I know you can use this to automatically direct
http to https connections. But until this session sharing problem is fixed,
redirecting won't help me.
Summary: How do I use the same session data from one https page to another
http page and vice versa for the same user without creating a new session?
If you can even remotely help me, I'll be your best friend. My mom makes
some pretty good pie too...
mmmm....pie.
Thanks a TON for anything you folks can point out!
Les Hazlewood
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Tomcat 4/SSL/mod_webapp - losing session data when switching to SSL
Posted by Les Hazlewood <le...@hazlewood.com>.
Manuel,
I just joined this list right before I sent my email, so I don't know what
was talked about.
Where (what thread) are they located?
Is this really a "feature"? Thats seems rediculous...the Tomcat folks have
to know that this is highly undesirable for the majority of web-based
applications...I'm not questioning your knowledge...I'm just taken aback.
Les
Manuel Mall writes:
> Les,
>
> see the recent messages with the subject "Session lost when switching from
> https to http in Tomcat 4".
>
> This behaviour seems to be a Tomcat 4 feature, ie. Tomcat 4 appears to be
> using a different JSESSIONID for secure and non-secure sessions.
>
> Manuel
>
> -----Original Message-----
> From: Les Hazlewood [mailto:les@hazlewood.com]
> Sent: Wednesday, 27 March 2002 9:46
> To: tomcat-user@jakarta.apache.org
> Subject: Tomcat 4/SSL/mod_webapp - losing session data when switching to
> SSL
>
>
> Hello folks...
>
> I have something that I'm just completely stumped on....while Google has
> been my best friend the last 5 hours, I still haven't found a solution.
>
> The problem:
>
> When going from http://mydomain/whatever.jsp
>
> to
>
> https://mydomain/secureArea/anything.jsp
>
> Funny things happen.
>
> Basically...this is the scenario:
>
> A user goes from an unsecure page to the secure area (https), and logs in.
>
> Upon succes, I populate the user object (session accessible bean) with all
> the yummy info I need (user_id, name, etc).
>
> When I go BACK to an http url from the secure https part, I don't have my
> session data for that user anymore :(
>
> I actually checked my database where I store session id's, and when they go
> from http to https to log in, Tomcat creates a new session, thereby blanking
>
> out my session I created previously.
>
> I'm using Apache, and I have Tomcat integrated as the backend jsp/servlet
> processor using mod_webapp to connect to tomcat.
>
> In Apache, the website has two virtual host entries (one for port 80, one
> for port 443), which is needed by apache to distinguish what protocol to use
>
> & when. In Tomcat's server.xml the site has just one context declared
> within a <host> attribute for that site. Both of these virtual hosts
> directives connect to the same webapp connector for this Context when
> passing requests to Tomcat 4.
>
> In Tomcat's server.xml, I have the Apache Tomcat connector defined, and I
> have included the secure="true" attribute to allow for secure connecting.
>
> I need Tomcat to use the same session when accessing any page on the
> site...over http or https. How can I make this happen?
>
> Am I configuring the virtual hosts in Apache incorrectly? (I don't think so,
>
> but if there is some slick way to have one virtual host listen to 2 port
> numbers in Apache from one vhost declaration, I'm all ears).
>
> Do I need another webapp connection to tomcat instead of using just one? One
>
> for http requests, one for https requests? I don't think this is correct
> either, since it says in the Tomcat documentation that Tomcat doesn't have
> to know about the connections if a server like Apache/IIS is already doing
> the ssl encryption/decryption stuff prior to sending stuff to Tomcat (which
> is what is happening).
>
> Do I have to do anything with the portRedirect attribute in the
> Apache-Tomcat connector? I know you can use this to automatically direct
> http to https connections. But until this session sharing problem is fixed,
>
> redirecting won't help me.
>
> Summary: How do I use the same session data from one https page to another
> http page and vice versa for the same user without creating a new session?
>
> If you can even remotely help me, I'll be your best friend. My mom makes
> some pretty good pie too...
>
> mmmm....pie.
>
> Thanks a TON for anything you folks can point out!
>
> Les Hazlewood
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>