Hi, I'm relatively new to the tomcat server and I'm having a problem with configuring tomcat for a particular behavior that I need. I've scoured the internet for several days and haven't been able to find anything on this topic.
I'm trying to build a website with several SSL-protected pages and several unprotected pages. To do this, I'm using the built-in users/roles support in tomcat. My problem is that tomcat uses the same cookie for authentication as it does for session tracking. For example, when a user loads an unprotected page, tomcat sets a JSESSIONID cookie with a "send over any type of connection" flag. If the user later moves to a protected page, it uses the same JSESSIONID cookie, even after they've logged in. A malicious third party could theoretically monitor the connection while it's unprotected and then later initiate an SSL connection with the same JSESSIONID posing as the legitimate user. If the legitimate user first logs in to a protected page, tomcat will automatically set the JSESSIONID cookie to only send over protected connections. Unfortunately, if the user then moves to an unprotected page, tomcat blows away the original cookie and creates a new one to send over any type of connection. Is there any way to make tomcat use a different cookie for form authentication than it does for session tracking? That is, can I make it use something other than JSESSIONID to authenticate a user? Sorry for the verbose post, but I wanted to make my problem clear. Any help in this matter would be greatly appreciated. Thank you for taking the time to read this.
