Re: HTTPS to HTTP invalidates Session
On Wed, Jan 13, 2016 at 2:48 AM, Arjun Dharwrote: > Thanks for the reply Martin. > > Notes: > 1. Encoding JSESSIONID in the URL, did not fix the issue for me. Though, > I'll explore this more, maybe something in my environment preventing the > JSESSIONID from URL determining the session. > > 2. Question >> Got the code for HTTPS and redirect to pages that need to > be > secured over HTTPS (though opposite usecase for this thread). Though , I've > wondered why the extra effort when in web.xml one can mark URL patterns as > Secured and even setup Apache rewrite rules to do the same with more ease. > Any particular reason the Wicket developers thought it necessary to provide > this? > No idea. I have never used any of those in my applications. > > thanks a ton. > > - > Software documentation is like sex: when it is good, it is very, very > good; and when it is bad, it is still better than nothing! > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/HTTPS-to-HTTP-results-in-PageExpiredException-tp4673262p4673280.html > Sent from the Users forum mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
Re: HTTPS to HTTP invalidates Session
Thanks for the reply Martin. Notes: 1. Encoding JSESSIONID in the URL, did not fix the issue for me. Though, I'll explore this more, maybe something in my environment preventing the JSESSIONID from URL determining the session. 2. Question >> Got the code for HTTPS and redirect to pages that need to be secured over HTTPS (though opposite usecase for this thread). Though , I've wondered why the extra effort when in web.xml one can mark URL patterns as Secured and even setup Apache rewrite rules to do the same with more ease. Any particular reason the Wicket developers thought it necessary to provide this? thanks a ton. - Software documentation is like sex: when it is good, it is very, very good; and when it is bad, it is still better than nothing! -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/HTTPS-to-HTTP-results-in-PageExpiredException-tp4673262p4673280.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
HTTPS to HTTP invalidates Session
Hi, I have an admin Panel that is on HTTPS. It allows a user to preview a link on the site on HTTP. The problem is when doing that, when I return to the Admin Pane land perform any Ajax request, then what I get is: org.apache.wicket.protocol.http.PageExpiredException: Request cannot be processed. The target page does not exist anymore. Observations: a. The session is being invalidated. b. The JSESSION ID in the admin to start and the target page were the same (surprised, since I thought from HTTPS to HTTP a new JSESSIONID should be grated in target Window?) If someone can explain (a) & (b) and as a bonus any work around without compromising security. FOr me this is a Nice to Have not a Must have, but I need to understand whats going on here. thanks - Software documentation is like sex: when it is good, it is very, very good; and when it is bad, it is still better than nothing! -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/HTTPS-to-HTTP-invalidates-Session-tp4673262.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: HTTPS to HTTP invalidates Session
Hi, The HttpSession must be created within HTTP request if you want to share it between HTTP and HTTPS requests. A session created by HTTPS request is not shared with HTTP requests. The reason is that the JSESSIONID cookie created in HTTPS is "secure" and it is not preserved for the HTTP requests, so the session is "lost". I guess encoding the jsessionid in the url will fix this problem. In Wicket code we have this comment about this: https://github.com/apache/wicket/blob/master/wicket-core/src/main/java/org/apache/wicket/protocol/https/HttpsMapper.java#L336-L337 Some extra links: - http://stackoverflow.com/a/15067895/497381 - http://www.nuwanbando.com/2010/05/sharing-https-http-sessions-in-tomcat/ Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Tue, Jan 12, 2016 at 1:57 AM, Arjun Dhar <dhar...@yahoo.com> wrote: > Hi, > I have an admin Panel that is on HTTPS. It allows a user to preview a link > on the site on HTTP. > The problem is when doing that, when I return to the Admin Pane land > perform > any Ajax request, then what I get is: > org.apache.wicket.protocol.http.PageExpiredException: Request cannot be > processed. The target page does not exist anymore. > > Observations: > a. The session is being invalidated. > b. The JSESSION ID in the admin to start and the target page were the same > (surprised, since I thought from HTTPS to HTTP a new JSESSIONID should be > grated in target Window?) > > If someone can explain (a) & (b) and as a bonus any work around without > compromising security. > FOr me this is a Nice to Have not a Must have, but I need to understand > whats going on here. > > thanks > > > > > - > Software documentation is like sex: when it is good, it is very, very > good; and when it is bad, it is still better than nothing! > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/HTTPS-to-HTTP-invalidates-Session-tp4673262.html > Sent from the Users forum mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >