All;
We are having a chronic problem that is causing a lot of trouble with our
application's users.
In our app, we authenticate users on our HTTPS server and then serve the
homepage also on HTTPS. All links on the homepage to the other pages in our
app switch the user to the same url on
]
Subject: Session lost between HTTPS and HTTP
All;
We are having a chronic problem that is causing a lot of trouble with our
application's users.
In our app, we authenticate users on our HTTPS server and then serve the
homepage also on HTTPS. All links on the homepage to the other pages in our
12:40 PM
To: Tomcat Users List
Subject: RE: Session lost between HTTPS and HTTP
yeah, it is a security issue I believe. Not sure how tomcat does that, but
it shouldn't allow a session that was created on HTTPS to switch to HTTP.
Filip
-Original Message-
From: Zabel, Ian [mailto:[EMAIL
'
Subject: RE: Session lost between HTTPS and HTTP
As far as I know, http://www.app.com/ and https://www.app.com/ are supposed
to be allowed to share cookies on standard ports.
http://w6.metronet.com/~wjm/tomcat/2000/Dec/msg00626.html
Ian.
-Original Message-
From: Filip Hanik [mailto
I could be wrong of course :))
-Original Message-
From: Filip Hanik
Sent: Tuesday, February 04, 2003 9:51 AM
To: Tomcat Users List
Subject: RE: Session lost between HTTPS and HTTP
This scenario will convince you...maybe :)
1. You enter a bank on non secure page- HTTP
2. You log
, February 04, 2003 12:51 PM
To: Tomcat Users List
Subject: RE: Session lost between HTTPS and HTTP
This scenario will convince you...maybe :)
1. You enter a bank on non secure page- HTTP
2. You log in and start messing with your accounts
3. Then you go back to HTTP and somebody can hi-jack your
Message-
From: Zabel, Ian [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 04, 2003 9:55 AM
To: 'Tomcat Users List'
Subject: RE: Session lost between HTTPS and HTTP
Cookies are only valid for a domain though. So if the cookie was created on
http://banksite.com it will be valid for https
9:55 AM
To: 'Tomcat Users List'
Subject: RE: Session lost between HTTPS and HTTP
Cookies are only valid for a domain though. So if the cookie was
created on
http://banksite.com it will be valid for https://banksite.com as
well. It is
the same website. Banksite.com resolves to the same IP
for example https://banking.wellsfargo.com, once you are logged on to https, they will
not let you access that server using http.
filip
-Original Message-
From: Filip Hanik
Sent: Tuesday, February 04, 2003 9:58 AM
To: Tomcat Users List
Subject: RE: Session lost between HTTPS and HTTP
knows
where it is.
Ian.
-Original Message-
From: Filip Hanik [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 04, 2003 12:58 PM
To: Tomcat Users List
Subject: RE: Session lost between HTTPS and HTTP
maybe you misunderstood me.
if I want to pretend that I am you, all I have to do
, Ian [mailto:[EMAIL PROTECTED]]
Sent: 04 February 2003 18:06
To: 'Tomcat Users List'
Subject: RE: Session lost between HTTPS and HTTP
Hm, I understand what you're saying, and I agree.
But, this used to work fine before Tomcat. ServletExec maintained our
sessions across HTTP and HTTPS.
I
PM
To: Tomcat Users List
Subject: RE: Session lost between HTTPS and HTTP
Cookies can be set 'secure' (Cookie.setSecure(true)). Secure cookies are
only sent to servers by browsers over a secure connection.
When Tomcat starts a new session, it sets the cookie to be secure if the
session is opened
12 matches
Mail list logo
