RE: Session behaviour across http/https boundary

[Martin Alley]

Hi Bill,

Thanks for clarifying.  

BTW Do you know if this policy in the browser, or if tomcat uses the
refer header to implement it on the server?

Thanks
Martin

-Original Message-
From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker
Sent: 09 April 2004 06:22
To: [EMAIL PROTECTED]
Subject: Re: Session behaviour across http/https boundary


Martin Alley [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
 Hi,

 I have a small web app that appears to illustrate the following
 behaviour.
 Session started in http is carried over to https, but session started
in
 https is *not* carried over to http!

 Why?

This is for security reasons (so that it isn't possible to steal
sensitive
information that was entered in via SSL).




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Session behaviour across http/https boundary

[Sandy McArthur]

On Apr 9, 2004, at 3:28 AM, Martin Alley wrote:

BTW Do you know if this policy in the browser, or if tomcat uses the
refer header to implement it on the server?
This is probably a side effect of the way cookies work. A cookie can 
have a 'secure' flag set, which means it won't get sent over a normal 
http connection. There is nothing which prevents a non-secure cookie 
from being sent on a https connection. So if you establish a session 
via http, that same session will get used when you switch to https but 
possibly not vice versa.

Sandy McArthur

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session behaviour across http/https boundary

[Mark Thomas]

This is implemented within tomcat.

Mark 

 -Original Message-
 From: Martin Alley [mailto:[EMAIL PROTECTED] 
 Sent: Friday, April 09, 2004 8:28 AM
 To: 'Tomcat Users List'
 Subject: RE: Session behaviour across http/https boundary
 
 Hi Bill,
 
 Thanks for clarifying.  
 
 BTW Do you know if this policy in the browser, or if tomcat uses the
 refer header to implement it on the server?
 
 Thanks
 Martin
 
 -Original Message-
 From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker
 Sent: 09 April 2004 06:22
 To: [EMAIL PROTECTED]
 Subject: Re: Session behaviour across http/https boundary
 
 
 Martin Alley [EMAIL PROTECTED] wrote in message
 news:[EMAIL PROTECTED]
  Hi,
 
  I have a small web app that appears to illustrate the following
  behaviour.
  Session started in http is carried over to https, but 
 session started
 in
  https is *not* carried over to http!
 
  Why?
 
 This is for security reasons (so that it isn't possible to steal
 sensitive
 information that was entered in via SSL).
 
 
 
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Session behaviour across http/https boundary

[Bill Barker]

Martin Alley [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
 Hi,

 I have a small web app that appears to illustrate the following
 behaviour.
 Session started in http is carried over to https, but session started in
 https is *not* carried over to http!

 Why?

This is for security reasons (so that it isn't possible to steal sensitive
information that was entered in via SSL).


 Web app has 3 pages
 Index.jsp
 Page2.jsp
 Logout.jsp (does session invalidate  forward to index.jsp)

 1) go to index.jsp as http (session1)
 2) follow https link to page2.jsp (session1)
 3) follow https link to logout.jsp
 4) now at https index.jsp with session2 (session2 created in https
 world)
 5) follow https link to page2.jsp again (session2)
 6) follow *http* link to index.jsp (session 3!!!)

 I don't understand why session 3 is created.

 I read that old browsers don't maintain sessions between http and https;
 I'm using Ie6

 Can anyone explain this?

 Thanks
 Martin
 PS Code is below.





 **Index.jsp
 %@ page import=javax.servlet.*, javax.servlet.http.*,
 org.apache.commons.logging.*%

 html
 body
 %
 HttpServletRequest req = ( HttpServletRequest ) request;
 HttpSession mysession = req.getSession(false  );

 Log __log = LogFactory.getLog( this.getClass() );
 __log.info(index.jsp);

 __log.info(SessionID=+(mysession==null?null:mysession.getId()));
 %
 p
 SessionID=%=(mysession==null?null:mysession.getId())%br/

 /p

 p
 a
 href=%=response.encodeURL(https://localhost:8443/sessiontest/page2.js
 p)%page2/a
 a
 href=%=response.encodeURL(https://localhost:8443/sessiontest/logout.j
 sp)%logout/abr/
 /p
 /body
 /html
 page2.jsp
 %@ page import= javax.servlet.*, javax.servlet.http.*,
 org.apache.commons.logging.*%
 html
 body
 %
 HttpServletRequest req = ( HttpServletRequest ) request;
 HttpSession mysession = req.getSession(false  );

 Log __log = LogFactory.getLog( this.getClass() );
 __log.info(page2);

 __log.info(SessionID=+(mysession==null?null:mysession.getId()));

 %
 p
 SessionID=%=(mysession==null?null:mysession.getId())%br/

 /p

 p
 a
 href=%=response.encodeURL(http://localhost:8080/sessiontest/index.jsp
 )%index page/abr/
 a
 href=%=response.encodeURL(https://localhost:8443/sessiontest/logout.j
 sp)%logout/abr/
 /p

 /body
 /html


 *logout.jsp
 %@ page import= javax.servlet.*, javax.servlet.http.*,
 org.apache.commons.logging.*%
 %
 HttpServletRequest req = ( HttpServletRequest ) request;
 HttpSession mysession = req.getSession(false  );
 Log __log = LogFactory.getLog( this.getClass() );
 __log.info(logout.jsp);
 __log.info(pre invalidate
 SessionID=+(mysession==null?null:mysession.getId()));
 if (session!=null)
 session.invalidate();


 __log.info(post
 invalidateSessionID=+(mysession==null?null:mysession.getId()));


 RequestDispatcher rd =req.getRequestDispatcher(/index.jsp);
 rd.forward(req, (HttpServletResponse)response);

 %




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]