Strange behavious with session creation on http and https

[Ismael Blesa Part <ib...@tissat.es>]

I have set two connectors http and https. I have my webapp that is 
served by these two connectors.

I have discovered a strange behaviour with tomcat accessing through http 
and https.

If I open a browser to connect to http:
    - tomcat creates a session
    - my webapp receives the request and returns a page.

This is normal, but if I change (on the same window) the protocol and 
the port to use the https connector,
    - tomcat does not create a new session, it use the old one created 
on the http access
    - my webapp receives the request, but it already has objects on the 
session.

However, If I connect first to https and then I change to http, I will 
have two sessions, one for https and the other one to http.

Should not it generate a new session when a change on the protocol is 
done ??


I have tested this on tomcat 4.1.29, 5.0.25 with java 1.3.1 and 1.4.2 on 
linux (mandrake 10 and red hat enterprise)
Browsers tested IExplorer and Mozilla 1.6

To verify this, I have created a JSP that shows all the data related 
with sessions
<%
if (request!=null) {
out.println("<br>request.getRequestedSessionId() = 
"+request.getRequestedSessionId());
out.println("<br>request.isRequestedSessionIdFromCookie = 
"+request.isRequestedSessionIdFromCookie());
HttpSession misession=request.getSession(false);
if (misession!=null) {
out.println("<br>la sesion se recupera del request ");
out.println("<br>request.getSession(false).getId() = "+misession.getId());
out.println("<br>request.getSession(false).isNew() = "+misession.isNew());

}

out.println("<br>request.isRequestedSessionIdFromURL() = 
"+request.isRequestedSessionIdFromURL());
out.println("<br>request.isRequestedSessionIdValid() = 
"+request.isRequestedSessionIdValid());
}
if (session!=null) {
out.println("<br>session.getId() = "+session.getId());
out.println("<br>session.isNew() = "+session.isNew());
}
%>

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Strange behavious with session creation on http and https

[John Sidney-Woollett <jo...@wardbrook.com>]

Ismael Blesa Part said:
> I would like to have different sessions for different schemas, that is,
> If you connect to http and then to https then TWO DIFFERENT sessions are
> created.
> But I have not found how to do this.
>
> My fear is that on different application servers the behaviour is
> different.

If this is the behaviour that you want, then you only have to worry about
the case when the user goes from http to https (because you want a new
session instead of the old one).

One way to do this would be to record the type of connection (secure or
not) in the session when it is created, and then when you go to a secure
connection, check the value you stored (in the session).

If it indicates that the session was not originally created by a secure
requested, invalidate that session, and create a new one.

I think that will probably work.

John Sidney-Woollett

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Strange behavious with session creation on http and https

[Ismael Blesa Part <ib...@tissat.es>]

I have reviewed the mailing list and I have found that the normal 
behaviour in tomcat is

You enter in http and then change to https (session is shared)
You enter in https and then in http (you have two different sessions)


I would like to have different sessions for different schemas, that is, 
If you connect to http and then to https then TWO DIFFERENT sessions are 
created.
But I have not found how to do this.

My fear is that on different application servers the behaviour is 
different.


Ismael

John Sidney-Woollett wrote:

>Ismael Blesa Part said:
>  
>
>>I have set two connectors http and https. I have my webapp that is
>>served by these two connectors.
>>    
>>
>
>[snip]
>
>  
>
>>However, If I connect first to https and then I change to http, I will
>>have two sessions, one for https and the other one to http.
>>    
>>
>
>I believe that this is normal.
>
>If you ensure that the session is created using a non secure page first
>(you can always redirect from a non-secure to a secure page after creating
>the session), then the problem will go away.
>
>John Sidney-Woollett
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>  
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Strange behavious with session creation on http and https

[John Sidney-Woollett <jo...@wardbrook.com>]

Ismael Blesa Part said:
>
> I have set two connectors http and https. I have my webapp that is
> served by these two connectors.

[snip]

> However, If I connect first to https and then I change to http, I will
> have two sessions, one for https and the other one to http.

I believe that this is normal.

If you ensure that the session is created using a non secure page first
(you can always redirect from a non-secure to a secure page after creating
the session), then the problem will go away.

John Sidney-Woollett

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org