RE: SessionID cookie not secure over SSL

Wed, 28 Oct 2009 07:55:59 -0700 

From Firefox Live HTTP Headers

Set-Cookie: JSESSIONID=B4F06784FE4EAA0A7C9830BBF86D85B4; Path=/inetwork; Secure
Location: https://216.94.100.154/inetwork/Start.jsp

Hmmmm.  That looks like it is secure

My filter is getting this.

 Cookie0 name= JSESSIONID
 Cookie0 value= B4F06784FE4EAA0A7C9830BBF86D85B4
 Cookie0 isSecure = false

Filter code
        HttpServletRequest httpReq = (HttpServletRequest)req;
        HttpServletResponse httpResp = (HttpServletResponse)res;
        System.out.println ("http request is secure = " + httpReq.isSecure());
        Cookie[] c ;
        c = httpReq.getCookies();
        if(c != null)
        {
                for (int i = 0; i < c.length; i++) 
                {
                    System.out.println(" Cookie" + i + " name= " + 
c[i].getName());
                    System.out.println(" Cookie" + i + " value= " + 
c[i].getValue());
                    System.out.println(" Cookie" + i + " isSecure=" + 
c[i].getSecure());
                }
        }

JW


-----Original Message-----
From: Pid [mailto:p...@pidster.com]
Sent: Wednesday, October 28, 2009 9:52 AM
To: Tomcat Users List
Subject: Re: SessionID cookie not secure over SSL


On 27/10/2009 22:31, Joe Wallace wrote:
>
> André Warnier wrote:
>> Am I mistaken then to think that since the connection B from IIS to
>> Tomcat is not over HTTPS but over AJP, Tomcat has no idea that HTTPS is
>> being used ?
>> Whatever consequences this has in the context (and which are beyond my
>> expertise).
>
> Andre,
> I guess that is the question.
>
> The filter I have in Tomcat calls request.isSecure().
> This returns true.
>
> (All requests have been using https)

What steps are you taking to ensure this is the case?

How are you enforcing HTTPS, are you using a 
<transport-guarantee>CONFIDENTIAL</transport-guarantee>?

Under the general category of asking the obvious, can you clear all 
existing cookies and then use Firebug/LiveHTTPHeaders in Firefox (or the 
browser of your choice) to see exactly when the first Set-Cookie header 
occurs?


p




> If when tomcat does this.
>
> if(request.isSecure())
>    cookie.setSecure(true);
>
> A call to cookie.getSecure should return true.
>
> But the same filter that returns true for request.isSecure()
> calls Cookie.getSecure() and it returns false.
>
>
>
> Joe
>
>
>
>
>
>
>
> -----Original Message-----
> From: André Warnier [mailto:a...@ice-sa.com]
> Sent: Tuesday, October 27, 2009 5:11 PM
> To: Tomcat Users List
> Subject: Re: SessionID cookie not secure over SSL
>
>
> Joe Wallace wrote:
>>
>> -----Original Message-----
>> From: André Warnier [mailto:a...@ice-sa.com]
>> Sent: Tuesday, October 27, 2009 4:48 PM
>> To: Tomcat Users List
>> Subject: Re: SessionID cookie not secure over SSL
>>
>>
>>> Joe Wallace wrote:
>>>> I am using session cookies to track sessions.  I am used to Jrun where you 
>>>> would specifically set the cookie to be sent only over SSL or https.  This 
>>>> was not the>default setting.  I want users to connect to my web site using 
>>>> https then they might click a link on one of my web pages whose protocal 
>>>> is not secure.  What is the>behavior of the JSESSIONID cookie in this 
>>>> situation.
>>>>
>>> Joe,
>>
>>> 1) assuming your setup is
>>
>>> browsers<-->  IIS<-->  Tomcat
>>              A         B
>>
>>> which portion(s) is(/are) using HTTPS ? A ? B ? both ?
>>
>>> 2) "secure" is an attribute of a cookie, written inside of the cookie by
>>> the server creating the cookie in the first place.
>>> If set, it has as consequence that a browser will only send it back to
>>> the original server with subsequent requests, if these subsequent
>>> requests happen over a HTTPS connection.
>>
>>> In other words, if you set the secure attribute on the JSESSIONID
>>> cookie, because for instance your initial request happens over HTTPS,
>>> then you switch to a non-HTTPS part of the site, the browser is probably
>>> no longer going to send this cookie back to the server.
>>> In other words, you will, for practical purposes, "lose your session".
>>
>>> Not so, gurus ?
>>
>> Portion A is using IIS.  IIS holds the SSL cert.
>> I am using AJP 1.3 connector for IIS
>> It is defined in the Tomcat Server.xml
>>
>> <!-- Define an AJP 1.3 Connector on port xxxx -->
>>      <Connector port="8109" protocol="AJP/1.3" redirectPort="443"
>> />
>>
>
>> Am I mistaken then to think that since the connection B from IIS to
>> Tomcat is not over HTTPS but over AJP, Tomcat has no idea that HTTPS is
>> being used ?
>> Whatever consequences this has in the context (and which are beyond my
>> expertise).
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to