RE: Session behaviour across http/https boundary
Hi Bill, Thanks for clarifying. BTW Do you know if this policy in the browser, or if tomcat uses the refer header to implement it on the server? Thanks Martin -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker Sent: 09 April 2004 06:22 To: [EMAIL PROTECTED] Subject: Re: Session behaviour across http/https boundary Martin Alley [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I have a small web app that appears to illustrate the following behaviour. Session started in http is carried over to https, but session started in https is *not* carried over to http! Why? This is for security reasons (so that it isn't possible to steal sensitive information that was entered in via SSL). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session behaviour across http/https boundary
On Apr 9, 2004, at 3:28 AM, Martin Alley wrote: BTW Do you know if this policy in the browser, or if tomcat uses the refer header to implement it on the server? This is probably a side effect of the way cookies work. A cookie can have a 'secure' flag set, which means it won't get sent over a normal http connection. There is nothing which prevents a non-secure cookie from being sent on a https connection. So if you establish a session via http, that same session will get used when you switch to https but possibly not vice versa. Sandy McArthur - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session behaviour across http/https boundary
This is implemented within tomcat. Mark -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: Friday, April 09, 2004 8:28 AM To: 'Tomcat Users List' Subject: RE: Session behaviour across http/https boundary Hi Bill, Thanks for clarifying. BTW Do you know if this policy in the browser, or if tomcat uses the refer header to implement it on the server? Thanks Martin -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker Sent: 09 April 2004 06:22 To: [EMAIL PROTECTED] Subject: Re: Session behaviour across http/https boundary Martin Alley [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I have a small web app that appears to illustrate the following behaviour. Session started in http is carried over to https, but session started in https is *not* carried over to http! Why? This is for security reasons (so that it isn't possible to steal sensitive information that was entered in via SSL). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Session behaviour across http/https boundary
Hi, I have a small web app that appears to illustrate the following behaviour. Session started in http is carried over to https, but session started in https is *not* carried over to http! Why? Web app has 3 pages Index.jsp Page2.jsp Logout.jsp (does session invalidate forward to index.jsp) 1) go to index.jsp as http (session1) 2) follow https link to page2.jsp (session1) 3) follow https link to logout.jsp 4) now at https index.jsp with session2 (session2 created in https world) 5) follow https link to page2.jsp again (session2) 6) follow *http* link to index.jsp (session 3!!!) I don't understand why session 3 is created. I read that old browsers don't maintain sessions between http and https; I'm using Ie6 Can anyone explain this? Thanks Martin PS Code is below. **Index.jsp %@ page import=javax.servlet.*, javax.servlet.http.*, org.apache.commons.logging.*% html body % HttpServletRequest req = ( HttpServletRequest ) request; HttpSession mysession = req.getSession(false ); Log __log = LogFactory.getLog( this.getClass() ); __log.info(index.jsp); __log.info(SessionID=+(mysession==null?null:mysession.getId())); % p SessionID=%=(mysession==null?null:mysession.getId())%br/ /p p a href=%=response.encodeURL(https://localhost:8443/sessiontest/page2.js p)%page2/a a href=%=response.encodeURL(https://localhost:8443/sessiontest/logout.j sp)%logout/abr/ /p /body /html page2.jsp %@ page import= javax.servlet.*, javax.servlet.http.*, org.apache.commons.logging.*% html body % HttpServletRequest req = ( HttpServletRequest ) request; HttpSession mysession = req.getSession(false ); Log __log = LogFactory.getLog( this.getClass() ); __log.info(page2); __log.info(SessionID=+(mysession==null?null:mysession.getId())); % p SessionID=%=(mysession==null?null:mysession.getId())%br/ /p p a href=%=response.encodeURL(http://localhost:8080/sessiontest/index.jsp )%index page/abr/ a href=%=response.encodeURL(https://localhost:8443/sessiontest/logout.j sp)%logout/abr/ /p /body /html *logout.jsp %@ page import= javax.servlet.*, javax.servlet.http.*, org.apache.commons.logging.*% % HttpServletRequest req = ( HttpServletRequest ) request; HttpSession mysession = req.getSession(false ); Log __log = LogFactory.getLog( this.getClass() ); __log.info(logout.jsp); __log.info(pre invalidate SessionID=+(mysession==null?null:mysession.getId())); if (session!=null) session.invalidate(); __log.info(post invalidateSessionID=+(mysession==null?null:mysession.getId())); RequestDispatcher rd =req.getRequestDispatcher(/index.jsp); rd.forward(req, (HttpServletResponse)response); % - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Session behaviour across http/https boundary
Hi, I have a small web app that appears to illustrate the following behaviour. Session started in http is carried over to https, but session started in https is *not* carried over to http! Why? Web app has 3 pages Index.jsp Page2.jsp Logout.jsp (does session invalidate forward to index.jsp) 1) go to index.jsp as http (session1) 2) follow https link to page2.jsp (session1) 3) follow https link to logout.jsp 4) now at https index.jsp with session2 (session2 created in https world) 5) follow https link to page2.jsp again (session2) 6) follow *http* link to index.jsp (session 3!!!) I don't understand why session 3 is created. I read that old browsers don't maintain sessions between http and https; I'm using Ie6 Can anyone explain this? Thanks Martin PS Code is below. **Index.jsp %@ page import=javax.servlet.*, javax.servlet.http.*, org.apache.commons.logging.*% html body % HttpServletRequest req = ( HttpServletRequest ) request; HttpSession mysession = req.getSession(false ); Log __log = LogFactory.getLog( this.getClass() ); __log.info(index.jsp); __log.info(SessionID=+(mysession==null?null:mysession.getId())); % p SessionID=%=(mysession==null?null:mysession.getId())%br/ /p p a href=%=response.encodeURL(https://localhost:8443/sessiontest/page2.js p)%page2/a a href=%=response.encodeURL(https://localhost:8443/sessiontest/logout.j sp)%logout/abr/ /p /body /html page2.jsp %@ page import= javax.servlet.*, javax.servlet.http.*, org.apache.commons.logging.*% html body % HttpServletRequest req = ( HttpServletRequest ) request; HttpSession mysession = req.getSession(false ); Log __log = LogFactory.getLog( this.getClass() ); __log.info(page2); __log.info(SessionID=+(mysession==null?null:mysession.getId())); % p SessionID=%=(mysession==null?null:mysession.getId())%br/ /p p a href=%=response.encodeURL(http://localhost:8080/sessiontest/index.jsp )%index page/abr/ a href=%=response.encodeURL(https://localhost:8443/sessiontest/logout.j sp)%logout/abr/ /p /body /html *logout.jsp %@ page import= javax.servlet.*, javax.servlet.http.*, org.apache.commons.logging.*% % HttpServletRequest req = ( HttpServletRequest ) request; HttpSession mysession = req.getSession(false ); Log __log = LogFactory.getLog( this.getClass() ); __log.info(logout.jsp); __log.info(pre invalidate SessionID=+(mysession==null?null:mysession.getId())); if (session!=null) session.invalidate(); __log.info(post invalidateSessionID=+(mysession==null?null:mysession.getId())); RequestDispatcher rd =req.getRequestDispatcher(/index.jsp); rd.forward(req, (HttpServletResponse)response); % - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session behaviour across http/https boundary
Martin Alley [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I have a small web app that appears to illustrate the following behaviour. Session started in http is carried over to https, but session started in https is *not* carried over to http! Why? This is for security reasons (so that it isn't possible to steal sensitive information that was entered in via SSL). Web app has 3 pages Index.jsp Page2.jsp Logout.jsp (does session invalidate forward to index.jsp) 1) go to index.jsp as http (session1) 2) follow https link to page2.jsp (session1) 3) follow https link to logout.jsp 4) now at https index.jsp with session2 (session2 created in https world) 5) follow https link to page2.jsp again (session2) 6) follow *http* link to index.jsp (session 3!!!) I don't understand why session 3 is created. I read that old browsers don't maintain sessions between http and https; I'm using Ie6 Can anyone explain this? Thanks Martin PS Code is below. **Index.jsp %@ page import=javax.servlet.*, javax.servlet.http.*, org.apache.commons.logging.*% html body % HttpServletRequest req = ( HttpServletRequest ) request; HttpSession mysession = req.getSession(false ); Log __log = LogFactory.getLog( this.getClass() ); __log.info(index.jsp); __log.info(SessionID=+(mysession==null?null:mysession.getId())); % p SessionID=%=(mysession==null?null:mysession.getId())%br/ /p p a href=%=response.encodeURL(https://localhost:8443/sessiontest/page2.js p)%page2/a a href=%=response.encodeURL(https://localhost:8443/sessiontest/logout.j sp)%logout/abr/ /p /body /html page2.jsp %@ page import= javax.servlet.*, javax.servlet.http.*, org.apache.commons.logging.*% html body % HttpServletRequest req = ( HttpServletRequest ) request; HttpSession mysession = req.getSession(false ); Log __log = LogFactory.getLog( this.getClass() ); __log.info(page2); __log.info(SessionID=+(mysession==null?null:mysession.getId())); % p SessionID=%=(mysession==null?null:mysession.getId())%br/ /p p a href=%=response.encodeURL(http://localhost:8080/sessiontest/index.jsp )%index page/abr/ a href=%=response.encodeURL(https://localhost:8443/sessiontest/logout.j sp)%logout/abr/ /p /body /html *logout.jsp %@ page import= javax.servlet.*, javax.servlet.http.*, org.apache.commons.logging.*% % HttpServletRequest req = ( HttpServletRequest ) request; HttpSession mysession = req.getSession(false ); Log __log = LogFactory.getLog( this.getClass() ); __log.info(logout.jsp); __log.info(pre invalidate SessionID=+(mysession==null?null:mysession.getId())); if (session!=null) session.invalidate(); __log.info(post invalidateSessionID=+(mysession==null?null:mysession.getId())); RequestDispatcher rd =req.getRequestDispatcher(/index.jsp); rd.forward(req, (HttpServletResponse)response); % - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]