You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by David Hemingway <db...@kooee.com.au> on 2003/01/09 07:59:27 UTC
HTTPS to HTTP
Hi,
I am trying to allow session cookies that created via https to retain the session when stepping down to http, however by default a new session will be made. It seems that a session made under http will sustain if you step up to https but not the reverse. I read in the following document that in tomcat 3.3.2 you can allow a session to be valid via http even if it was created via https: http://jakarta.apache.org/tomcat/tomcat-3.3-doc/serverxml.html#SessionId
secureCookie
[Tomcat 3.3.2] If true, then Tomcat will mark the Session ID cookie as as "Secure" if the session is created over a SSL connection. A conforming browser will only send the cookie back to a page that is using SSL. The effect is that if a session is created from a SSL page, than it is not available to any non-SSL pages.
<SessionId cookiesFirst="true" noCookies="false" />
<SessionId noCookies="true" />
<SessionId noCookies="true" checkSSLSessionId="true"/>
I am using tmocat 4.1.18 and I would like to implement this as it will greatly simply a section of my site. I have 2 questions regarding it though. 1 Can anyone tell me how this can be imlpemented in 4.1.18 to being with :-) (I can't find any docs). 2 Does this open up a huge security hole that I am not seeing. I have heard things about session hijacking?
Many thanks
regards,
Dave
Re: HTTPS to HTTP
Posted by Bill Barker <wb...@wilshire.com>.
As the person that implemented the 3.3.2 behavior documented below, I'm more
than willing to review a patch to 4.1.x that would implement the same
behavior. I just can't bring myself to believe that it's that big of an
issue if it's not worth anyone's time to construct a patch.
"David Hemingway" <db...@kooee.com.au> wrote in message
news:031c01c2b7ac$a6f50a90$0b7bfea9@w9b1jqmyjsd9ds1...
Hi,
I am trying to allow session cookies that created via https to retain the
session when stepping down to http, however by default a new session will be
made. It seems that a session made under http will sustain if you step up to
https but not the reverse. I read in the following document that in tomcat
3.3.2 you can allow a session to be valid via http even if it was created
via https:
http://jakarta.apache.org/tomcat/tomcat-3.3-doc/serverxml.html#SessionId
secureCookie
[Tomcat 3.3.2] If true, then Tomcat will mark the Session ID cookie as
as "Secure" if the session is created over a SSL connection. A conforming
browser will only send the cookie back to a page that is using SSL. The
effect is that if a session is created from a SSL page, than it is not
available to any non-SSL pages.
<SessionId cookiesFirst="true" noCookies="false" />
<SessionId noCookies="true" />
<SessionId noCookies="true" checkSSLSessionId="true"/>
I am using tmocat 4.1.18 and I would like to implement this as it will
greatly simply a section of my site. I have 2 questions regarding it though.
1 Can anyone tell me how this can be imlpemented in 4.1.18 to being with :-)
(I can't find any docs). 2 Does this open up a huge security hole that I am
not seeing. I have heard things about session hijacking?
Many thanks
regards,
Dave
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>