-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gregor,
On 3/13/2009 11:42 AM, Gregor Schneider wrote:
> So would following scenario work?
>
> - login using form-based login via https
>
> - when successful:
> HttpSession session = request.getSession();
> // guess that shoudln't happen
> if (session != null) {
> session.invalidate();
> }
> session = request.getSession (true);
>
> Looks ok to me - you comments?
I don't see how this could work. Immediately after login you invalidate
the session, thus logging-out the user.
Here's what you want to do:
- - Write a filter that intercepts all HTTPS traffic and redirects it to
HTTP. This will make sure that anyone attempting to use HTTPS for the
fun of it will end up seeing a non-secure page. This will not affect
calls to j_security_check.
- - Modify your login page to invalidate the session and redirect to HTTP
if HTTPS is detected. This will expire sessions that are created in
the secure realm in response to deep requests to your webapp (this
handles the case of someone trying to hit /some/secure/place and
Tomcat automatically forwarding to the login page, in HTTPS mode).
I was going to say that you should make sure that your login page forces
a session creation, but Tomcat will already have created your session
before the login page displays. Make sure your login form points to
https://your.server/j_security_check (of course!).
I think that will make it all work.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkm6hmkACgkQ9CaO5/Lv0PAtfwCdGxR5PFUxNNc+DHtXhEVmBukS
ercAnRdFVf/EAUPr6NfP5xzOGDOw5FUT
=8q9E
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
