RE: passing a session from non-SSL to SSL
Hi, Does this mean I have to use pure https for my webapp ? Isnt there a preformance hit with pure- SSL ? I thought after I login user using SSL I could switch to non-SSL for rest of the content. This seems to be a real bottleneck. Any options ? Thanks Sundar -Original Message- From: Milt Epstein [mailto:[EMAIL PROTECTED]] Sent: Saturday, September 07, 2002 11:33 PM To: Tomcat Users List Subject: Re: passing a session from non-SSL to SSL On Fri, 6 Sep 2002, Joshua Szmajda wrote: Hi all, I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and I'm noticing that my application is now losing track of its sessions when I switch from non-SSL to SSL. The code worked fine in Tomcat 3.2.. I was wondering if there's something I'm missing. My server.xml has a single Ajp13 connector and a plain vanilla host / context configuration. I've JKMount'ed /* to ajp13 in apache on both the normal and SSL virtual hosts. I'm sure it's something in the spec that's changed, but I can't for the life of me find out what. Changing the code is possible, but preferably avoidable as I didn't write it. It's well known that Tomcat does not preserve sessions when switching from SSL to non-SSL (and/or vice-versa). Don't know about earlier versions, but that's true of the current version. You can check the archives to see where others have brought this up. I don't think this is a spec issue, so I guess either it was an implementation choice by the Tomcat developers or perhaps there's no way (or no easy way) around it. If it was an implementation choice, I don't know what it was based on. I believe there are other servlet containers that you can set up so that such switching does not lose sessions. I'm not sure of all the technical issues involved. Also note that some will say that it doesn't make sense to switch back and forth between SSL and non-SSL because security is compromised. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: passing a session from non-SSL to SSL
-Original Message- From: Sundar Chakravarthy [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 10:31 AM To: Tomcat Users List Subject: RE: passing a session from non-SSL to SSL Hi, Does this mean I have to use pure https for my webapp ? yes Isnt there a preformance hit with pure- SSL ? I thought after I login user using SSL I could switch to non-SSL for rest of the content. This seems to be a real bottleneck. no no no no no! If you do this then someone could hijack your session id and would be authenitcated automatically. You need SSL for the whole session. Any options ? Thanks Sundar -Original Message- From: Milt Epstein [mailto:[EMAIL PROTECTED]] Sent: Saturday, September 07, 2002 11:33 PM To: Tomcat Users List Subject: Re: passing a session from non-SSL to SSL On Fri, 6 Sep 2002, Joshua Szmajda wrote: Hi all, I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and I'm noticing that my application is now losing track of its sessions when I switch from non-SSL to SSL. The code worked fine in Tomcat 3.2.. I was wondering if there's something I'm missing. My server.xml has a single Ajp13 connector and a plain vanilla host / context configuration. I've JKMount'ed /* to ajp13 in apache on both the normal and SSL virtual hosts. I'm sure it's something in the spec that's changed, but I can't for the life of me find out what. Changing the code is possible, but preferably avoidable as I didn't write it. It's well known that Tomcat does not preserve sessions when switching from SSL to non-SSL (and/or vice-versa). Don't know about earlier versions, but that's true of the current version. You can check the archives to see where others have brought this up. I don't think this is a spec issue, so I guess either it was an implementation choice by the Tomcat developers or perhaps there's no way (or no easy way) around it. If it was an implementation choice, I don't know what it was based on. I believe there are other servlet containers that you can set up so that such switching does not lose sessions. I'm not sure of all the technical issues involved. Also note that some will say that it doesn't make sense to switch back and forth between SSL and non-SSL because security is compromised. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: passing a session from non-SSL to SSL
On Mon, 7 Oct 2002, Sundar Chakravarthy wrote: Hi, Does this mean I have to use pure https for my webapp ? You'll probably have to look into all the pros/cons and available alternatives to decide that. Isnt there a preformance hit with pure- SSL ? Probably. A lot of it is with the initial negotiation, which you'd have whether you stuck with SSL or not, but I believe there's still some on each transaction (e.g. the decryption/encryption). I thought after I login user using SSL I could switch to non-SSL for rest of the content. This seems to be a real bottleneck. Any options ? Thanks Sundar -Original Message- From: Milt Epstein [mailto:[EMAIL PROTECTED]] Sent: Saturday, September 07, 2002 11:33 PM To: Tomcat Users List Subject: Re: passing a session from non-SSL to SSL On Fri, 6 Sep 2002, Joshua Szmajda wrote: Hi all, I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and I'm noticing that my application is now losing track of its sessions when I switch from non-SSL to SSL. The code worked fine in Tomcat 3.2.. I was wondering if there's something I'm missing. My server.xml has a single Ajp13 connector and a plain vanilla host / context configuration. I've JKMount'ed /* to ajp13 in apache on both the normal and SSL virtual hosts. I'm sure it's something in the spec that's changed, but I can't for the life of me find out what. Changing the code is possible, but preferably avoidable as I didn't write it. It's well known that Tomcat does not preserve sessions when switching from SSL to non-SSL (and/or vice-versa). Don't know about earlier versions, but that's true of the current version. You can check the archives to see where others have brought this up. I don't think this is a spec issue, so I guess either it was an implementation choice by the Tomcat developers or perhaps there's no way (or no easy way) around it. If it was an implementation choice, I don't know what it was based on. I believe there are other servlet containers that you can set up so that such switching does not lose sessions. I'm not sure of all the technical issues involved. Also note that some will say that it doesn't make sense to switch back and forth between SSL and non-SSL because security is compromised. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: passing a session from non-SSL to SSL
Does anyone have an answer for this?? I can't find anything in the docs that covers this. Please help. Gary Lyons Joshua Szmajda wrote: Hi all, I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and I'm noticing that my application is now losing track of its sessions when I switch from non-SSL to SSL. The code worked fine in Tomcat 3.2.. I was wondering if there's something I'm missing. My server.xml has a single Ajp13 connector and a plain vanilla host / context configuration. I've JKMount'ed /* to ajp13 in apache on both the normal and SSL virtual hosts. I'm sure it's something in the spec that's changed, but I can't for the life of me find out what. Changing the code is possible, but preferably avoidable as I didn't write it. Thanks in advance! -Joshua Szmajda -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: passing a session from non-SSL to SSL
On Thu, 12 Sep 2002, Gary Lyons wrote: Does anyone have an answer for this?? I can't find anything in the docs that covers this. Please help. Check the archives, this question has come up before. And there were a couple of responses (including one or two from me) when this was first posted, a week or so ago. Joshua Szmajda wrote: Hi all, I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and I'm noticing that my application is now losing track of its sessions when I switch from non-SSL to SSL. The code worked fine in Tomcat 3.2.. I was wondering if there's something I'm missing. My server.xml has a single Ajp13 connector and a plain vanilla host / context configuration. I've JKMount'ed /* to ajp13 in apache on both the normal and SSL virtual hosts. I'm sure it's something in the spec that's changed, but I can't for the life of me find out what. Changing the code is possible, but preferably avoidable as I didn't write it. Thanks in advance! -Joshua Szmajda -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: passing a session from non-SSL to SSL (fwd)
This thread was started on the list a few days ago. John Turner and I exchanged a message or two on it that unintentionally weren't posted to the list. I'm reposting them to the list now, in case they might be of interest to anyone, or anyone would like to add their own comments. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- Forwarded message -- From: Milt Epstein To: Turner, John Sent: 9/8/02 12:18 AM Subject: RE: passing a session from non-SSL to SSL On Sat, 7 Sep 2002, Turner, John wrote: But wait...Joshua is using mod_jk, which means Tomcat isn't involved in the SSL communication...everything Tomcat is getting is unencrypted across the connector port (8009). Tomcat isn't flipping between 8080 and 8443, or even 80 and 443. Why shouldn't the sessions be the same? I haven't looked at the AJP spec, but it would seem to me that there's no way Tomcat would know the request was sent to Apache on 80 or 443. Well, I did say I wasn't sure of all the technical issues involved :-). What you bring up may make a difference. However, typically sessions are handled by cookies, and cookies do have a secure field, and the AJP13 connector does set that field (I just checked the source), and that could make a difference. That is, the browser may not send a cookie whose secure field is set on http requests (and vice-versa with https). In fact, that may be the entire issue with sessions and switching between SSL and non-SSL. Not sure what would happen if URL-Rewriting is used for sessions instead of cookies. -Original Message- From: Milt Epstein To: Tomcat Users List Sent: 9/7/02 11:32 PM Subject: Re: passing a session from non-SSL to SSL On Fri, 6 Sep 2002, Joshua Szmajda wrote: Hi all, I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and I'm noticing that my application is now losing track of its sessions when I switch from non-SSL to SSL. The code worked fine in Tomcat 3.2.. I was wondering if there's something I'm missing. My server.xml has a single Ajp13 connector and a plain vanilla host / context configuration. I've JKMount'ed /* to ajp13 in apache on both the normal and SSL virtual hosts. I'm sure it's something in the spec that's changed, but I can't for the life of me find out what. Changing the code is possible, but preferably avoidable as I didn't write it. It's well known that Tomcat does not preserve sessions when switching from SSL to non-SSL (and/or vice-versa). Don't know about earlier versions, but that's true of the current version. You can check the archives to see where others have brought this up. I don't think this is a spec issue, so I guess either it was an implementation choice by the Tomcat developers or perhaps there's no way (or no easy way) around it. If it was an implementation choice, I don't know what it was based on. I believe there are other servlet containers that you can set up so that such switching does not lose sessions. I'm not sure of all the technical issues involved. Also note that some will say that it doesn't make sense to switch back and forth between SSL and non-SSL because security is compromised. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
passing a session from non-SSL to SSL
Hi all, I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and I'm noticing that my application is now losing track of its sessions when I switch from non-SSL to SSL. The code worked fine in Tomcat 3.2.. I was wondering if there's something I'm missing. My server.xml has a single Ajp13 connector and a plain vanilla host / context configuration. I've JKMount'ed /* to ajp13 in apache on both the normal and SSL virtual hosts. I'm sure it's something in the spec that's changed, but I can't for the life of me find out what. Changing the code is possible, but preferably avoidable as I didn't write it. Thanks in advance! -Joshua Szmajda -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: passing a session from non-SSL to SSL
On Fri, 6 Sep 2002, Joshua Szmajda wrote: Hi all, I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and I'm noticing that my application is now losing track of its sessions when I switch from non-SSL to SSL. The code worked fine in Tomcat 3.2.. I was wondering if there's something I'm missing. My server.xml has a single Ajp13 connector and a plain vanilla host / context configuration. I've JKMount'ed /* to ajp13 in apache on both the normal and SSL virtual hosts. I'm sure it's something in the spec that's changed, but I can't for the life of me find out what. Changing the code is possible, but preferably avoidable as I didn't write it. It's well known that Tomcat does not preserve sessions when switching from SSL to non-SSL (and/or vice-versa). Don't know about earlier versions, but that's true of the current version. You can check the archives to see where others have brought this up. I don't think this is a spec issue, so I guess either it was an implementation choice by the Tomcat developers or perhaps there's no way (or no easy way) around it. If it was an implementation choice, I don't know what it was based on. I believe there are other servlet containers that you can set up so that such switching does not lose sessions. I'm not sure of all the technical issues involved. Also note that some will say that it doesn't make sense to switch back and forth between SSL and non-SSL because security is compromised. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
