RE: passing a session from non-SSL to SSL

[Sundar Chakravarthy <sc...@doas.ga.gov>]

Hi,


Does this mean I have to use pure https
for my webapp ? Isnt there a preformance
hit with pure- SSL ? 

I thought after I login user using SSL I could
switch to non-SSL for rest of the content.
This seems to be a real bottleneck.

Any options ? 

Thanks
Sundar

-----Original Message-----
From: Milt Epstein [mailto:mepstein@uiuc.edu]
Sent: Saturday, September 07, 2002 11:33 PM
To: Tomcat Users List
Subject: Re: passing a session from non-SSL to SSL


On Fri, 6 Sep 2002, Joshua Szmajda wrote:

> Hi all,
>
>     I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and
> I'm noticing that my application is now losing track of its sessions
> when I switch from non-SSL to SSL. The code worked fine in Tomcat
> 3.2.. I was wondering if there's something I'm missing. My
> server.xml has a single Ajp13 connector and a plain vanilla host /
> context configuration. I've JKMount'ed /* to ajp13 in apache on both
> the normal and SSL virtual hosts.
>
>     I'm sure it's something in the spec that's changed, but I can't
> for the life of me find out what. Changing the code is possible, but
> preferably avoidable as I didn't write it.

It's well known that Tomcat does not preserve sessions when switching
from SSL to non-SSL (and/or vice-versa).  Don't know about earlier
versions, but that's true of the current version.  You can check the
archives to see where others have brought this up.

I don't think this is a spec issue, so I guess either it was an
implementation choice by the Tomcat developers or perhaps there's no
way (or no easy way) around it.  If it was an implementation choice, I
don't know what it was based on.  I believe there are other servlet
containers that you can set up so that such switching does not lose
sessions.  I'm not sure of all the technical issues involved.

Also note that some will say that it doesn't make sense to switch back
and forth between SSL and non-SSL because security is compromised.

Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
mepstein@uiuc.edu


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: passing a session from non-SSL to SSL

[Milt Epstein <me...@uiuc.edu>]

On Mon, 7 Oct 2002, Sundar Chakravarthy wrote:

> Hi,
>
> Does this mean I have to use pure https for my webapp ?

You'll probably have to look into all the pros/cons and available
alternatives to decide that.

>                                                         Isnt there a
> preformance hit with pure- SSL ?

Probably.  A lot of it is with the initial negotiation, which you'd
have whether you stuck with SSL or not, but I believe there's still
some on each transaction (e.g. the decryption/encryption).


> I thought after I login user using SSL I could switch to non-SSL for
> rest of the content.  This seems to be a real bottleneck.
>
> Any options ?
>
> Thanks
> Sundar
>
> -----Original Message-----
> From: Milt Epstein [mailto:mepstein@uiuc.edu]
> Sent: Saturday, September 07, 2002 11:33 PM
> To: Tomcat Users List
> Subject: Re: passing a session from non-SSL to SSL
>
>
> On Fri, 6 Sep 2002, Joshua Szmajda wrote:
>
> > Hi all,
> >
> >     I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and
> > I'm noticing that my application is now losing track of its sessions
> > when I switch from non-SSL to SSL. The code worked fine in Tomcat
> > 3.2.. I was wondering if there's something I'm missing. My
> > server.xml has a single Ajp13 connector and a plain vanilla host /
> > context configuration. I've JKMount'ed /* to ajp13 in apache on both
> > the normal and SSL virtual hosts.
> >
> >     I'm sure it's something in the spec that's changed, but I can't
> > for the life of me find out what. Changing the code is possible, but
> > preferably avoidable as I didn't write it.
>
> It's well known that Tomcat does not preserve sessions when switching
> from SSL to non-SSL (and/or vice-versa).  Don't know about earlier
> versions, but that's true of the current version.  You can check the
> archives to see where others have brought this up.
>
> I don't think this is a spec issue, so I guess either it was an
> implementation choice by the Tomcat developers or perhaps there's no
> way (or no easy way) around it.  If it was an implementation choice, I
> don't know what it was based on.  I believe there are other servlet
> containers that you can set up so that such switching does not lose
> sessions.  I'm not sure of all the technical issues involved.
>
> Also note that some will say that it doesn't make sense to switch back
> and forth between SSL and non-SSL because security is compromised.
>
> Milt Epstein
> Research Programmer
> Integration and Software Engineering (ISE)
> Campus Information Technologies and Educational Services (CITES)
> University of Illinois at Urbana-Champaign (UIUC)
> mepstein@uiuc.edu
>
>
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>

Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
mepstein@uiuc.edu


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>