Raiden, If you really want to maintain the session between HTTPs and HTTP you can do it by writing the link to the insecure page with the session id like this: (using JSP)
>From the insecure page: <form method="post" action=<"http://(youraddress/insecurepage)<%=session.getId()%>"> <input type="submit" value="go insecure"/> </form> The same thing will work going from insecure to secure. Your session will get dragged around. ------- Also, it is interesting to note that a recent "Feature" of Expresso is the ability to maintain session when going between HTTPS and HTTP. It must be that users need this capability. Dan Raiden wrote: > > Hi Bill, > > Honestly, as a user, I don't feel competent enough with the Tomcat > internal architecture to write a patch. > > However, to me, this is a vital thing missing from the tomcat 4.1.x > branch. Quite a few of the sites that I work on require that a session > created under https be accessible under http, and as a security measure, > we drop our own Secure cookie... and make sure it is present on any pages > with confidential information (which we of course make https as well). > > Because tomcat prevents us from doing this, and because of the lack of a > "secureCookies" feature in 4.1.x, I just keep hacking away at the > Connectors code in every new release, and comment out the if statement > that prevents the desired functionality (which is NOT an elegant > solution). > > I think there IS a demand for the "secureCookies" feature, because I have > seen several posts for this before, and I just hope that someone who has > more knowledge of tomcat's internal workings than myself will figure out > the proper way to patch this. > > -Raiden > (and I will be forever grateful to anyone that can do this!) > > ---- > > From: "Bill Barker" > Date: 2003-01-10 7:42:35 > > As the person that implemented the 3.3.2 behavior documented below, I'm > more > than willing to review a patch to 4.1.x that would implement the same > behavior. I just can't bring myself to believe that it's that big of an > issue if it's not worth anyone's time to construct a patch. > > "David Hemingway" <[EMAIL PROTECTED]> wrote in message > 031c01c2b7ac$a6f50a90$0b7bfea9@w9b1jqmyjsd9ds1">news:031c01c2b7ac$a6f50a90$0b7bfea9@w9b1jqmyjsd9ds1... > Hi, > > I am trying to allow session cookies that created via https to retain the > session when stepping down to http, however by default a new session will > be > made. It seems that a session made under http will sustain if you step up > to > https but not the reverse. I read in the following document that in tomcat > 3.3.2 you can allow a session to be valid via http even if it was created > via https: > http://jakarta.apache.org/tomcat/tomcat-3.3-doc/serverxml.html#SessionId > > secureCookie > [Tomcat 3.3.2] If true, then Tomcat will mark the Session ID cookie > as > as "Secure" if the session is created over a SSL connection. A conforming > browser will only send the cookie back to a page that is using SSL. The > effect is that if a session is created from a SSL page, than it is not > available to any non-SSL pages. > > <SessionId cookiesFirst="true" noCookies="false" /> > <SessionId noCookies="true" /> > <SessionId noCookies="true" checkSSLSessionId="true"/> > > I am using tmocat 4.1.18 and I would like to implement this as it will > greatly simply a section of my site. I have 2 questions regarding it > though. > 1 Can anyone tell me how this can be imlpemented in 4.1.18 to being with > :-) > (I can't find any docs). 2 Does this open up a huge security hole that I > am > not seeing. I have heard things about session hijacking? > > Many thanks > regards, > > Dave > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>