HTTPS to HTTP

[David Hemingway <db...@kooee.com.au>]

Hi,

I am trying to allow session cookies that created via https to retain the session when stepping down to http, however by default a new session will be made. It seems that a session made under http will sustain if you step up to https but not the reverse. I read in the following document that in tomcat 3.3.2 you can allow a session to be valid via http even if it was created via https: http://jakarta.apache.org/tomcat/tomcat-3.3-doc/serverxml.html#SessionId


      secureCookie
      [Tomcat 3.3.2] If true, then Tomcat will mark the Session ID cookie as as "Secure" if the session is created over a SSL connection. A conforming browser will only send the cookie back to a page that is using SSL. The effect is that if a session is created from a SSL page, than it is not available to any non-SSL pages. 



<SessionId cookiesFirst="true" noCookies="false" />
<SessionId noCookies="true" />
<SessionId noCookies="true" checkSSLSessionId="true"/>

I am using tmocat 4.1.18 and I would like to implement this as it will greatly simply a section of my site. I have 2 questions regarding it though. 1 Can anyone tell me how this can be imlpemented in 4.1.18 to being with :-) (I can't find any docs). 2 Does this open up a huge security hole that I am not seeing. I have heard things about session hijacking?

Many thanks
regards,

Dave

Re: HTTPS to HTTP

[Bill Barker <wb...@wilshire.com>]

As the person that implemented the 3.3.2 behavior documented below, I'm more
than willing to review a patch to 4.1.x that would implement the same
behavior.  I just can't bring myself to believe that it's that big of an
issue if it's not worth anyone's time to construct a patch.

"David Hemingway" <db...@kooee.com.au> wrote in message
news:031c01c2b7ac$a6f50a90$0b7bfea9@w9b1jqmyjsd9ds1...
Hi,

I am trying to allow session cookies that created via https to retain the
session when stepping down to http, however by default a new session will be
made. It seems that a session made under http will sustain if you step up to
https but not the reverse. I read in the following document that in tomcat
3.3.2 you can allow a session to be valid via http even if it was created
via https:
http://jakarta.apache.org/tomcat/tomcat-3.3-doc/serverxml.html#SessionId


      secureCookie
      [Tomcat 3.3.2] If true, then Tomcat will mark the Session ID cookie as
as "Secure" if the session is created over a SSL connection. A conforming
browser will only send the cookie back to a page that is using SSL. The
effect is that if a session is created from a SSL page, than it is not
available to any non-SSL pages.



<SessionId cookiesFirst="true" noCookies="false" />
<SessionId noCookies="true" />
<SessionId noCookies="true" checkSSLSessionId="true"/>

I am using tmocat 4.1.18 and I would like to implement this as it will
greatly simply a section of my site. I have 2 questions regarding it though.
1 Can anyone tell me how this can be imlpemented in 4.1.18 to being with :-)
(I can't find any docs). 2 Does this open up a huge security hole that I am
not seeing. I have heard things about session hijacking?

Many thanks
regards,

Dave





--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>