Re: Session lost when switching from https to http in Tomcat 5.
Tomcat (starting with Tomcat 4) stores the JSESSIONID cookie as a secure cookie that is tagged for port 443 (or 8443) when the session begins under HTTPS. Browsers are not allowed to send secure cookies under plain HTTP, so your session is lost. For Tomcat 4 or 5 you must start your session under HTTP, then switch to HTTPS to maintain a session across both. Tomcat 3 had a config.xml option to always store JSESSIONID as non-secure. It's a long story. See the mailing list archive for the rants. In the its current state, Tomcat's implementation does not agree with published Best Practices and the *proposed* State Management standard, but the decision was made to err on the side of security. I have modified Tomcat 4 to permit sessions that span HTTP and HTTPS. The changes are not difficult, but you must implement your own mechanism to prevent session hijacking. Non-secure JSESSIONID cookies create a security hole. The committees are supposed address the security vs. state management issue in the next Servlet Spec. Regards, Bob Feretich I have a servlet/JSP application in which users establish their servlet session using https but conduct the rest of their interactions using http. The session appears not to be preserved between https and http, ie. after switching from back to http the request.getSession(false) call returns null. Can anyone shed light on this for me? Is this expected? Is there a workaround/configuration/setting in Tomcat 5 I might have missed? Thanks Anthony - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session lost when switching from https to http in Tomcat 5.
Greetings, Your help is greatly appreciated, I have hade a devil of a time with this. I am glad to know this was not caused by an error in my code. Again, thanks very much for your help. Best Regards, Anthony- - Original Message - From: Bob Feretich [EMAIL PROTECTED] To: [EMAIL PROTECTED]; tomcat-user@jakarta.apache.org Sent: Sunday, May 01, 2005 4:48 AM Subject: Re: Session lost when switching from https to http in Tomcat 5. Tomcat (starting with Tomcat 4) stores the JSESSIONID cookie as a secure cookie that is tagged for port 443 (or 8443) when the session begins under HTTPS. Browsers are not allowed to send secure cookies under plain HTTP, so your session is lost. For Tomcat 4 or 5 you must start your session under HTTP, then switch to HTTPS to maintain a session across both. Tomcat 3 had a config.xml option to always store JSESSIONID as non-secure. It's a long story. See the mailing list archive for the rants. In the its current state, Tomcat's implementation does not agree with published Best Practices and the *proposed* State Management standard, but the decision was made to err on the side of security. I have modified Tomcat 4 to permit sessions that span HTTP and HTTPS. The changes are not difficult, but you must implement your own mechanism to prevent session hijacking. Non-secure JSESSIONID cookies create a security hole. The committees are supposed address the security vs. state management issue in the next Servlet Spec. Regards, Bob Feretich I have a servlet/JSP application in which users establish their servlet session using https but conduct the rest of their interactions using http. The session appears not to be preserved between https and http, ie. after switching from back to http the request.getSession(false) call returns null. Can anyone shed light on this for me? Is this expected? Is there a workaround/configuration/setting in Tomcat 5 I might have missed? Thanks Anthony - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session lost when switching from https to http in Tomcat 5.
On 4/28/05, Anhony [EMAIL PROTECTED] wrote: I have a servlet/JSP application in which users establish their servlet session using https but conduct the rest of their interactions using http. The session appears not to be preserved between https and http, ie. after switching from back to http the request.getSession(false) call returns null. Can anyone shed light on this for me? Is this expected? Is there a workaround/configuration/setting in Tomcat 5 I might have missed? Thanks Anthony - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Please specify version of Tomcat and URLs which you used which caused problems. It is working fine for me on Tomcat 4.1.12,4.1.30,4.1.31. -- rgds Anto Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session lost when switching from https to http in Tomcat 5.
I am using Tomcat 5.0.28 Users log into my application from https://xxx.com/login.jsp. When submitted, I check for a valid userID/Password, create a session with getSession(), and then save the userID/Password in a session variable. The validated user is then returned to my main tools page. If the user then selects a link to a non secure page, http://..., I get a return of null when performing getSession( false) when trying to check that the user is valid. Thanks for the help. Anthony - Original Message - From: Anto Paul [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Thursday, April 28, 2005 10:26 AM Subject: Re: Session lost when switching from https to http in Tomcat 5. On 4/28/05, Anhony [EMAIL PROTECTED] wrote: I have a servlet/JSP application in which users establish their servlet session using https but conduct the rest of their interactions using http. The session appears not to be preserved between https and http, ie. after switching from back to http the request.getSession(false) call returns null. Can anyone shed light on this for me? Is this expected? Is there a workaround/configuration/setting in Tomcat 5 I might have missed? Thanks Anthony - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Please specify version of Tomcat and URLs which you used which caused problems. It is working fine for me on Tomcat 4.1.12,4.1.30,4.1.31. -- rgds Anto Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session lost when switching from https to http in Tomcat 5.
Last I knew sessions are not shared between SSL and non-SSL connections by design (as opposed to a bug). Your best bet is probably: 1. Start a session on the non-ssl side 2. Forward the user to the ssl login w/ the session id in the request 3. The ssl login stores the session id and any other important info in a shared persistence layer (i.e. database) and forwards back to the non-ssl side 4. The non-ssl side checks the persistence layer for it's session id and any other info left by the login page. --David Anhony wrote: I am using Tomcat 5.0.28 Users log into my application from https://xxx.com/login.jsp. When submitted, I check for a valid userID/Password, create a session with getSession(), and then save the userID/Password in a session variable. The validated user is then returned to my main tools page. If the user then selects a link to a non secure page, http://..., I get a return of null when performing getSession( false) when trying to check that the user is valid. Thanks for the help. Anthony - Original Message - From: Anto Paul [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Thursday, April 28, 2005 10:26 AM Subject: Re: Session lost when switching from https to http in Tomcat 5. On 4/28/05, Anhony [EMAIL PROTECTED] wrote: I have a servlet/JSP application in which users establish their servlet session using https but conduct the rest of their interactions using http. The session appears not to be preserved between https and http, ie. after switching from back to http the request.getSession(false) call returns null. Can anyone shed light on this for me? Is this expected? Is there a workaround/configuration/setting in Tomcat 5 I might have missed? Thanks Anthony - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Please specify version of Tomcat and URLs which you used which caused problems. It is working fine for me on Tomcat 4.1.12,4.1.30,4.1.31. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session lost when switching from https to http in Tomcat 5.
Anhony [EMAIL PROTECTED] wrote: I am using Tomcat 5.0.28 Users log into my application from https://xxx.com/login.jsp. When submitted, I check for a valid userID/Password, create a session with getSession(), and then save the userID/Password in a session variable. The validated user is then returned to my main tools page. If the user then selects a link to a non secure page, http://..., I get a return of null when performing getSession( false) when trying to check that the user is valid. I am using Tomcat 5.0.16. An https session will have a different JSESSIONID than a http session, so Tomcat will think going from one to another is stating a new session. The JESSIONID is stored as a secure cookie when you start from https; get this cookie and re-add it to the response as a non-secure cookie (setSecure(false)), and then redirect to the http page. -- Lynn Hollerman. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
