Practices and the *proposed* State
Management standard, but the decision was made to err on the side of
security.
I have modified Tomcat 4 to permit sessions that span HTTP and HTTPS.
The changes are not difficult, but you must implement your own mechanism
to prevent session hijacking. Non-secure
PROTECTED]; tomcat-user@jakarta.apache.org
Sent: Sunday, May 01, 2005 4:48 AM
Subject: Re: Session lost when switching from https to http in Tomcat 5.
Tomcat (starting with Tomcat 4) stores the JSESSIONID cookie as a secure
cookie that is tagged for port 443 (or 8443) when the session begins under
HTTPS
I have a servlet/JSP application in which users establish their servlet
session using https but conduct the rest of their interactions using http.
The session appears not to be preserved between https and http, ie. after
switching from back to http the request.getSession(false) call returns
On 4/28/05, Anhony [EMAIL PROTECTED] wrote:
I have a servlet/JSP application in which users establish their servlet
session using https but conduct the rest of their interactions using http.
The session appears not to be preserved between https and http, ie. after
switching from back to http
@jakarta.apache.org
Sent: Thursday, April 28, 2005 10:26 AM
Subject: Re: Session lost when switching from https to http in Tomcat 5.
On 4/28/05, Anhony [EMAIL PROTECTED] wrote:
I have a servlet/JSP application in which users establish their servlet
session using https but conduct the rest
: Re: Session lost when switching from https to http in Tomcat 5.
On 4/28/05, Anhony [EMAIL PROTECTED] wrote:
I have a servlet/JSP application in which users establish their servlet
session using https but conduct the rest of their interactions using
http.
The session appears not to be preserved
Anhony [EMAIL PROTECTED] wrote:
I am using Tomcat 5.0.28
Users log into my application from https://xxx.com/login.jsp. When
submitted, I check for a valid userID/Password, create a session with
getSession(), and then save the userID/Password in a session variable.
The validated user is then
Hi,
I am trying to implement SSL for Tomcat 5.0.30 Java 1.4 latest for
selected sites only.
I configured a url path pattern: /jsp/login.jsp
logging onto this site, SSL works, redirecting to /jsp/index.jsp still
uses SSL :-(
Requesting java actions are comepletely igonored like
The Tomcat code distinguishes between http and https accesses, with
respect to session continuation. Specifically, when
HttpServeletResponse.encodeRedirectURL(} or
HttpServeletResponse.encodeURL() are called for URL rewriting (client
has cookies turned off), if the current servlet is accessed via
Hello,
I have a problem with Tomcat 5.0.26 where I need to use JavaScript to set
the page location (document.location.href) in order to trigger a page
reload. The session gets lost when the protocol changes from HTTP to HTTPS
due to the secure setting in the session cookie.
I seems Tomcat
On Sat, Aug 28, 2004 at 12:53:15PM -0700, Tim Waldner wrote:
: The session gets lost when the protocol changes from HTTP to HTTPS
: due to the secure setting in the session cookie.
: [snip]
: Is there any way to control this behavior in the configuration? I would
: like to configure all session
All;
We are having a chronic problem that is causing a lot of trouble with our
application's users.
In our app, we authenticate users on our HTTPS server and then serve the
homepage also on HTTPS. All links on the homepage to the other pages in our
app switch the user to the same url on
]
Subject: Session lost between HTTPS and HTTP
All;
We are having a chronic problem that is causing a lot of trouble with our
application's users.
In our app, we authenticate users on our HTTPS server and then serve the
homepage also on HTTPS. All links on the homepage to the other pages in our
As far as I know, http://www.app.com/ and https://www.app.com/ are supposed
to be allowed to share cookies on standard ports.
http://w6.metronet.com/~wjm/tomcat/2000/Dec/msg00626.html
Ian.
-Original Message-
From: Filip Hanik [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 04, 2003
'
Subject: RE: Session lost between HTTPS and HTTP
As far as I know, http://www.app.com/ and https://www.app.com/ are supposed
to be allowed to share cookies on standard ports.
http://w6.metronet.com/~wjm/tomcat/2000/Dec/msg00626.html
Ian.
-Original Message-
From: Filip Hanik [mailto
I could be wrong of course :))
-Original Message-
From: Filip Hanik
Sent: Tuesday, February 04, 2003 9:51 AM
To: Tomcat Users List
Subject: RE: Session lost between HTTPS and HTTP
This scenario will convince you...maybe :)
1. You enter a bank on non secure page- HTTP
2. You log
, February 04, 2003 12:51 PM
To: Tomcat Users List
Subject: RE: Session lost between HTTPS and HTTP
This scenario will convince you...maybe :)
1. You enter a bank on non secure page- HTTP
2. You log in and start messing with your accounts
3. Then you go back to HTTP and somebody can hi-jack your
Message-
From: Zabel, Ian [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 04, 2003 9:55 AM
To: 'Tomcat Users List'
Subject: RE: Session lost between HTTPS and HTTP
Cookies are only valid for a domain though. So if the cookie was created on
http://banksite.com it will be valid for https
9:55 AM
To: 'Tomcat Users List'
Subject: RE: Session lost between HTTPS and HTTP
Cookies are only valid for a domain though. So if the cookie was
created on
http://banksite.com it will be valid for https://banksite.com as
well. It is
the same website. Banksite.com resolves to the same IP
for example https://banking.wellsfargo.com, once you are logged on to https, they will
not let you access that server using http.
filip
-Original Message-
From: Filip Hanik
Sent: Tuesday, February 04, 2003 9:58 AM
To: Tomcat Users List
Subject: RE: Session lost between HTTPS and HTTP
Hm, I understand what you're saying, and I agree.
But, this used to work fine before Tomcat. ServletExec maintained our
sessions across HTTP and HTTPS.
I don't know how Tomcat deals with this, which I guess is why I'm asking the
list.
One thing I have discovered by using a bit of a sniffer
observed: if a session starts using
an http: URL, it's available over http: and https: connections. If the
session starts over https:, it's available over https: only.
This also fits with how one would hope this would work from a security point
of view.
Dan.
-Original Message-
From: Zabel
PM
To: Tomcat Users List
Subject: RE: Session lost between HTTPS and HTTP
Cookies can be set 'secure' (Cookie.setSecure(true)). Secure cookies are
only sent to servers by browsers over a secure connection.
When Tomcat starts a new session, it sets the cookie to be secure if the
session is opened
From: John Holman [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: HTTPS to HTTP
Yes, that is clearly a risk. The *whole* web application needs have no
risks in order to allow http access to any of it - any sensitive link
back into the secure sections of the site under the
guise of the user whose session I hijacked. How is that security?
Jake
At 08:17 PM 1/9/2003 -0800, you wrote:
I'm aware of that. The tomcat-specific issue is that it won't let you
make the transition from https to http on the same session
:02 PM
To: Tomcat Users List
Subject: Re: HTTPS to HTTP
In this scenario, the *only* page requiring SSL would be
the login page that collects the username and password.
(That could be either a dedicated application login page
or the login page configured for form-based login. Basic
Message-
From: John Holman [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 10, 2003 2:02 PM
To: Tomcat Users List
Subject: Re: HTTPS to HTTP
In this scenario, the *only* page requiring SSL would be
the login page that collects the username and password.
(That could be either a dedicated
Is there an FTP connector for Tomcat? If so, I would be very interested in
it.
Thanks,
John
-Original Message-
From: Shah, Sanjay [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 09, 2003 1:03 PM
To: 'Tomcat Users List'
Cc: 'Craig R. McClanahan'
Subject: RE: HTTPS to HTTP
Hello
n if you step up
to
https but not the reverse. I read in the following document that in tomcat
3.3.2 you can allow a session to be valid via http even if it was created
via https:
http://jakarta.apache.org/tomcat/tomcat-3.3-doc/serverxml.html#SessionId
secureCookie
[Tomcat 3.3.2]
Raiden,
If you really want to maintain the session between HTTPs and HTTP you
can do it by writing the link to the insecure page
with the session id like this: (using JSP)
From the insecure page:
form method=post
action=http://(youraddress/insecurepage)%=session.getId()%
input type=submit
Ralph Einfeldt wrote:
Anybody who can listen to your traffic, can hijack
a session. He just has to create a request with the
same sessionid (either as cookie or in the url).
So after you go back from https to http you open
the session to an attacker.
The risks that are involved
.
Thanks for the comments
regards,
Dave
- Original Message -
From: John Holman [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Thursday, January 09, 2003 9:44 PM
Subject: Re: HTTPS to HTTP
Ralph Einfeldt wrote:
Anybody who can listen to your traffic, can hijack
PROTECTED]]
Sent: Thursday, January 09, 2003 11:44 AM
To: Tomcat Users List
Subject: Re: HTTPS to HTTP
In that case the session may as well be conducted
in http (e.g. for performance reasons).
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL
the sysadmins session ...)
-Original Message-
From: David Hemingway [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 09, 2003 12:08 PM
To: Tomcat Users List
Subject: Re: HTTPS to HTTP
Thats is my exact situation. The sysadmin section of teh site
is 100% https.
but the on the user side
authentification to form
authentifcation and the sysadmin visits the user side
and somebody steals the sysadmins session ...)
-Original Message-
From: David Hemingway [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 09, 2003 12:08 PM
To: Tomcat Users List
Subject: Re: HTTPS to HTTP
On Thu, 9 Jan 2003, John Holman wrote:
Date: Thu, 09 Jan 2003 12:56:16 +
From: John Holman [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: HTTPS to HTTP
Yes, that is clearly a risk. The *whole* web application needs
On Thu, 9 Jan 2003, John Holman wrote:
Date: Thu, 09 Jan 2003 12:58:19 +
From: John Holman [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: HTTPS to HTTP
Ralph Einfeldt wrote:
I don't think that performance
Hello Craig:
I was reading one of your post in tomcat user archive regarding
implementation of FTP protocol under Catalina.
One of my requirement is exactly the same.
In my case the FTP security and processing needs to be managed on a per
customer basis, however this tends to be closely
On Thu, 9 Jan 2003, Shah, Sanjay wrote:
Date: Thu, 9 Jan 2003 13:02:32 -0500
From: Shah, Sanjay [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Cc: 'Craig R. McClanahan' [EMAIL PROTECTED]
Subject: RE: HTTPS to HTTP
Hello Craig:
I was reading one of your post in tomcat user
Craig,
I agree with you 100% but there can be a simple solution to the problem
that you just raised..and that is that a new session id is created and
mapped in some table when moving from https--http this way user B can not
get access to the admin page.
~Sumit
On Thu, 9 Jan 2003, John
On Thu, 9 Jan 2003, Shrotriya, Sumit wrote:
Date: Thu, 9 Jan 2003 12:45:20 -0600
From: Shrotriya, Sumit [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Subject: RE: HTTPS to HTTP
Craig,
I agree with you 100% but there can
Thats is my exact situation. The sysadmin section of teh site is 100% https.
but the on the user side there is nothing that sensitive and little harm
they could be cause stealing someones session. It would not be worth going
to the trouble of stealing the session for the benefit you would get.
I don't think that performance is a reason to keep
the session after a switch because in the most
applications the amount of protocol switches is
quite small when compared to the total number of
requests within one protocol.
A possibly stupid question -- is it possible to send graphics
I agree with you 100% but there can be a simple solution to the problem
that you just raised..and that is that a new session id is created and
mapped in some table when moving from https--http this way user B can not
get access to the admin page.
Two things you'd have to be really careful
On Fri, 10 Jan 2003, Joel Rees wrote:
Date: Fri, 10 Jan 2003 10:56:37 +0900
From: Joel Rees [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: HTTPS to HTTP
I don't think that performance is a reason to keep
the session
graphics raw and
text encrypted?
Sure ... make your img src=... URLs in the encrypted pages point at
absolute http: (not https:) URLs of where the images are.
I'm thinking that shipping images raw and text under https might help
those who are concerned about performance. Would this open
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
If you're going to switch from https-http, you are totally wasting
your
time messing with https in the first place. It buys you nothing
except a
*perception* that you are more secure -- that is not the reality.
You keep repeating
On Fri, 10 Jan 2003, Joel Rees wrote:
Date: Fri, 10 Jan 2003 11:22:42 +0900
From: Joel Rees [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: HTTPS to HTTP
I don't think that performance is a reason to keep
On Thu, 9 Jan 2003, Schnitzer, Jeff wrote:
Date: Thu, 9 Jan 2003 18:39:34 -0800
From: Schnitzer, Jeff [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: RE: HTTPS to HTTP
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
* The most common use case for wanting HTTPS-HTTP is to let you
log on with HTTPS so your password does not go across the
Internet unencrypted, but run the rest of the application on
HTTP. Having to reauthenticate again means
/2003 -0800, you wrote:
I'm aware of that. The tomcat-specific issue is that it won't let you
make the transition from https to http on the same session. That's
frustrating.
bite on this one. But first I'll say that I agree mostly with
your and Craig's position on this because in general most people aren't
experienced enough with security to make good decisions about what
is going on. However this particular issues that has been raised
can make use of the HTTPS-HTTP
performance)
-Original Message-
From: Joel Rees [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 10, 2003 2:57 AM
To: Tomcat Users List
Subject: Re: HTTPS to HTTP
A possibly stupid question -- is it possible to send graphics raw and
text encrypted?
--
To unsubscribe, e-mail
that in tomcat 3.3.2 you can allow a session to be
valid via http even if it was created via https:
http://jakarta.apache.org/tomcat/tomcat-3.3-doc/serverxml.html#SessionId
secureCookie
[Tomcat 3.3.2] If true, then Tomcat will mark the Session ID cookie as as
Secure if the session
Anybody who can listen to your traffic, can hijack
a session. He just has to create a request with the
same sessionid (either as cookie or in the url).
So after you go back from https to http you open
the session to an attacker.
The risks that are involved with that, depends
I've secure my website with Apache, using the SSL connector.
But I have a problem : Imagine I have a page with confidential data to send.
This page has the following URL : https://localhost:8443/importantData.html
We only have to change manually the URL with
-constraint
-Ursprüngliche Nachricht-
Von: Frédéric LE MAISTRE [mailto:[EMAIL PROTECTED]]
Gesendet: Donnerstag, 10. Oktober 2002 10:04
An: [EMAIL PROTECTED]
Betreff: Tomcat SSL - Changing URL https to http
This page has the following URL :
https://localhost:8443/importantData.html
Forgot to mention that this belongs in web.xml.
-Ursprüngliche Nachricht-
Von: Ralph Einfeldt
Gesendet: Donnerstag, 10. Oktober 2002 10:29
An: Tomcat Users List
Betreff: AW: Tomcat SSL - Changing URL https to http
security-constraint
web-resource-collection
web-resource
thanks very much. does CONFIDENTIAL a keyword?
- Original Message -
From: Ralph Einfeldt [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Thursday, October 10, 2002 10:34 AM
Subject: AW: Tomcat SSL - Changing URL https to http
Forgot to mention that this belongs
/servlet/download.html#specs
-Ursprüngliche Nachricht-
Von: Frédéric LE MAISTRE [mailto:[EMAIL PROTECTED]]
Gesendet: Donnerstag, 10. Oktober 2002 10:50
An: Tomcat Users List
Betreff: Re: Tomcat SSL - Changing URL https to http
thanks very much. does CONFIDENTIAL a keyword
-Original Message-
From: Frédéric LE MAISTRE [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 10, 2002 4:04 AM
To: [EMAIL PROTECTED]
Subject: Tomcat SSL - Changing URL https to http
I've secure my website with Apache, using the SSL connector.
But I have a problem : Imagine I have a page
thanks a lot
- Original Message -
From: Turner, John [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Thursday, October 10, 2002 2:57 PM
Subject: RE: Tomcat SSL - Changing URL https to http
Disable the connector on 8080 in server.xml if you don't want requests going
Rich Catlett wrote:
Yes, I am trying to access an https site through a proxy. As I said
before I'm asking this question because the error I get on the client
side - Unrecognized SSL handshake says, as far as I can tell, that an
https connection is being attempted on an http line. I have
with a connector expection an https connection
on port 445.
CONNECT only makes sense if you need to access an https site through a
proxy - there is no https through http happening anywhere.
What are you trying to achieve?
Regards,
Graham
I'm trying to tunnel https through a proxy using the CONNECT method.
tomcat 4.1-dev is running with a connector expection an https connection
on port 445. The proxy returns a 200 to the client which then attempts
to create the tunneled connection and do a handshake. The error I get
is
Gurmeet,
I'm pretty sure this is because the page you were looking at was cached on
your browser. When you clicked refresh, the server returned an updated
copy. Because of Tomcat's behavior with https - http, you then lost your
session.
This has happened to me a ton of times
upgrading to Tomcat 4.0.3 now using ajp13 the session appears not to
be preserved between https and http, ie. after switching back to http the
request.getSession(false) call returns null.
This seems to indicate that the session tracking mechanism has changed
between Tomcat 3 and Tomcat 4. Can
You are right Manuel,
Tomcat 4.0.2 using SSL unfortunately always sets a Secure flag
on JSESSIONIDs, which do not (depending on browser) allow
you to do this https-http switch.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6983
A Macintosh using IE 5 cannot even obtain a _standard_ SSL
: Tuesday, March 26, 2002 4:08 PM
To: [EMAIL PROTECTED]; Tomcat Users List
Cc: Peter Tornberg
Subject: Re: Session lost when switching from https to http in Tomcat 4
You are right Manuel,
Tomcat 4.0.2 using SSL unfortunately always sets a Secure flag
on JSESSIONIDs, which do not (depending on browser
when switching from https to http in Tomcat 4
Hi,
I just read this and tested for my app also wherein I would have the same
problem in coming days.
Any better way of overcoming this problem other than persisting the session
manually.
Regards,
Gurmeet
-Original Message-
From: Anders
, March 26, 2002 6:49 PM
To: Tomcat Users List
Subject: Re: Session lost when switching from https to http in Tomcat 4
Gurmeet,
The only known workarounds I know of are handling sessions in URLs or
patching the CookieTools class which we did.
Anders
- Original Message -
From: Gurmeet
Gurmeet,
I (or rathe my college), removed the line that appends Secure to JSESSIONIDs.
Anders
- Original Message -
From: Gurmeet [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Tuesday, March 26, 2002 14:32
Subject: RE: Session lost when switching from https to http
Anders thanks a lot.
-Original Message-
From: Anders Rundgren [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 26, 2002 7:34 PM
To: Tomcat Users List
Subject: Re: Session lost when switching from https to http in Tomcat 4
Gurmeet,
I (or rathe my college), removed the line that appends
]; Tomcat Users List
Cc: Peter Tornberg
Subject: Re: Session lost when switching from https to http in Tomcat 4
You are right Manuel,
Tomcat 4.0.2 using SSL unfortunately always sets a Secure flag
on JSESSIONIDs, which do not (depending on browser) allow
you to do this https-http switch.
http
switching from https to http in Tomcat 4
Anders,
thanks, I will try your patch and hope that the Tomcat developer community
will take your suggestion to make this behaviour configurable on board.
Manuel
-Original Message-
From: Anders Rundgren [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 26 March
Hi again , Well my problem stems from migrating from Tomcat 3.2.3 to
Tomcat 4 .
Thus i wanted to set up a secure tomcat 4 server utilising SSL , I have
installed the JSSE support and placed the the 3 jars into jdk
installation/jre/lib/ext dir . The CA'S and CERT'S have been
self-created(
hi I know I've gotten a response to this question but I'm still somewhat in
the dark. My problem if you weren't the one responding to it or if you
didn't get a chance to read it is this I have a website
https://mysite.com:8443. when I delete this the s from https and the port
number from the url
the https
session. But alas, switching from https to http wipes out session info on
Netscape (4.7). When my post login jsp pages reference the previously set
session login object via http, null is returned. However, if I stay in
https, everything is fine.
I know bea weblogic has a solution where
. My deployment descriptor is attached.
My PROBLEM is now that Tomcat doesn't switch between http and https
respectively. If the initial access to the protected resource is via http,
also the login form is accessed via http, *although I required secure access
in the deployment descriptor. If I
PROTECTED]
Subject: HTTPS to HTTP proxying
Ok, so
I have a situation where we are doing an HTTPS to HTTP proxy.
Essentially a proxy recieves the HTTPS request, makes an HTTP request to
the server with Tomcat running standalone and then the response is
returned through the proxy back to the user
support? (it came with 3.2 so you need to get that version if
you're not already using it).
Regards, Stefan.
-Original Message-
From: Geoff Lane [mailto:[EMAIL PROTECTED]]
Sent: 29. janar 2001 23:31
To: [EMAIL PROTECTED]
Subject: HTTPS to HTTP proxying
Ok, so
I have a situation
81 matches
Mail list logo