A workaround might be to "RESET" (that is, resend) the cookie without the SECURE flag turned on.
-Tim
[EMAIL PROTECTED] wrote:
Hello configuration gurus,
I recently upgraded to Tomcat 5.0.19, and I wonder if there is a solution to this problem yet. The problem is that in the Tomcat 4 (and apparently Tomcat 5) series, tomcat forces it so that if a session starts under https, then the session cookie is FORCED to be secure.
I understand that this is to protect people from having hijacked sessions as a general case. However, there are some of us that manage this on our own (sending our own secure cookie that we use to make sure https pages aren't hijacked), and we would like our session cookie to be available to http AND https, as we move back and forth through those pages depending on the sensitivity of the content.
If the session is created under http, then it is available to http and https. The problem only happens when the session is created under https. And, unfortunately, my app has quite a few places where the session NEEDS to be created under https, but needs to be available to http and https pages.
If this "secureCookie" option is not in Tomcat 5, does anyone else have a solution? In the past, I've had to recompile the AJP mod_jk code after commenting out the following lines where it creates the session cookie:
if (hreq.isSecure()) cookie.setSecure(true);
I know that others have also asked about this, and I'm hoping there's a better solution than having to comment out those lines and recompile the code every time there is a Tomcat update.
Any help is appreciated.
Thank you, -Raiden Johnson
---------- Forwarded message ---------- Date: Mon, 25 Nov 2002 17:23:27 -0800 (PST) Subject: Is there a secureCookie type of paramater for Tomcat 4.1.12?
Hello,
Tomcat 3.3.2 has a secureCookie paramater that restores the old behavior of not making the sessionId cookie a secure cookie if it was created under https. Is there such a parameter in 4.1.12?
I know there has been a thread debating the reasons as to why a session that is created under https is not available to http pages.
However, I have an application that was designed for the old spec, in which a session was available to both http and https pages, regardless of which protocol the session was created under.
I have avoided the security problem of hijacked sessions by making sure that sensitive pages are ALWAYS require https, and I drop a secure cookie of my own when someone logs in (the login page is under https of course), so that even if someone hijacks the http pages, they cannot hijack the https pages without passing back that cookie (whose contents I store in the session for verification).
However, since upgrading to 4.1.12, I have realized that my application can no longer function, because I rely on people creating a session under https... and then accessing non-sensitive pages under http. But, in 4.1.12, the session is not available to subsequently accessed http pages... and I really don't want to start encrypting these non-sensitive pages. (But, I do want the user logged in before they can access these pages.)
Does something like the secureCookie parameter exist in 4.1.12?
Thanks, Raiden
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
