Re: HTTPS to HTTP invalidates Session

[Martin Grigorov]

On Wed, Jan 13, 2016 at 2:48 AM, Arjun Dhar  wrote:

> Thanks for the reply Martin.
>
> Notes:
> 1. Encoding JSESSIONID in the URL, did not fix the issue for me. Though,
> I'll explore this more, maybe something in my environment preventing the
> JSESSIONID from URL determining the session.
>
> 2. Question >> Got the code for HTTPS and  redirect to pages that need to
> be
> secured over HTTPS (though opposite usecase for this thread). Though , I've
> wondered why the extra effort when in web.xml one can mark URL patterns as
> Secured and even setup Apache rewrite rules to do the same with more ease.
> Any particular reason the Wicket developers thought it necessary to provide
> this?
>

No idea.
I have never used any of those in my applications.


>
> thanks a ton.
>
> -
> Software documentation is like sex: when it is good, it is very, very
> good; and when it is bad, it is still better than nothing!
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/HTTPS-to-HTTP-results-in-PageExpiredException-tp4673262p4673280.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

Re: HTTPS to HTTP invalidates Session

[Arjun Dhar]

Thanks for the reply Martin.

Notes:
1. Encoding JSESSIONID in the URL, did not fix the issue for me. Though,
I'll explore this more, maybe something in my environment preventing the
JSESSIONID from URL determining the session.

2. Question >> Got the code for HTTPS and  redirect to pages that need to be
secured over HTTPS (though opposite usecase for this thread). Though , I've
wondered why the extra effort when in web.xml one can mark URL patterns as
Secured and even setup Apache rewrite rules to do the same with more ease.
Any particular reason the Wicket developers thought it necessary to provide
this?

thanks a ton.

-
Software documentation is like sex: when it is good, it is very, very good; and 
when it is bad, it is still better than nothing!
--
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/HTTPS-to-HTTP-results-in-PageExpiredException-tp4673262p4673280.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

HTTPS to HTTP invalidates Session

[Arjun Dhar]

Hi,
I have an admin Panel that is on HTTPS. It allows a user to preview a link
on the site on HTTP.
The problem is when doing that, when I return to the Admin Pane land perform
any Ajax request, then what I get is:
org.apache.wicket.protocol.http.PageExpiredException: Request cannot be
processed. The target page does not exist anymore.

Observations:
a. The session is being invalidated. 
b. The JSESSION ID in the admin to start and the target page were the same
(surprised, since I thought from HTTPS to HTTP a new JSESSIONID should be
grated in target Window?) 

If someone can explain (a) & (b) and as a bonus any work around without
compromising security.
FOr me this is a Nice to Have not a Must have, but I need to understand
whats going on here.

thanks




-
Software documentation is like sex: when it is good, it is very, very good; and 
when it is bad, it is still better than nothing!
--
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/HTTPS-to-HTTP-invalidates-Session-tp4673262.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: HTTPS to HTTP invalidates Session

[Martin Grigorov]

Hi,

The HttpSession must be created within HTTP request if you want to share it
between HTTP and HTTPS requests.
A session created by HTTPS request is not shared with HTTP requests.
The reason is that the JSESSIONID cookie created in HTTPS is "secure" and
it is not preserved for the HTTP requests, so the session is "lost". I
guess encoding the jsessionid in the url will fix this problem.

In Wicket code we have this comment about this:
https://github.com/apache/wicket/blob/master/wicket-core/src/main/java/org/apache/wicket/protocol/https/HttpsMapper.java#L336-L337

Some extra links:
- http://stackoverflow.com/a/15067895/497381
- http://www.nuwanbando.com/2010/05/sharing-https-http-sessions-in-tomcat/

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Tue, Jan 12, 2016 at 1:57 AM, Arjun Dhar <dhar...@yahoo.com> wrote:

> Hi,
> I have an admin Panel that is on HTTPS. It allows a user to preview a link
> on the site on HTTP.
> The problem is when doing that, when I return to the Admin Pane land
> perform
> any Ajax request, then what I get is:
> org.apache.wicket.protocol.http.PageExpiredException: Request cannot be
> processed. The target page does not exist anymore.
>
> Observations:
> a. The session is being invalidated.
> b. The JSESSION ID in the admin to start and the target page were the same
> (surprised, since I thought from HTTPS to HTTP a new JSESSIONID should be
> grated in target Window?)
>
> If someone can explain (a) & (b) and as a bonus any work around without
> compromising security.
> FOr me this is a Nice to Have not a Must have, but I need to understand
> whats going on here.
>
> thanks
>
>
>
>
> -
> Software documentation is like sex: when it is good, it is very, very
> good; and when it is bad, it is still better than nothing!
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/HTTPS-to-HTTP-invalidates-Session-tp4673262.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>