FIX: Session lost from HTTPS to HTTP and Redirect warning from IE

[Darian Shimy]

I sent this email to the ssl-ext list last week and never got a response.  A moderator needed to approve it due to its size and since there isn’t too much activity on that list anymore, it may be lost in a spam filter somewhere.    Nonetheless, in case anyone on this list is interested, here is the email....   From: Darian Shimy Sent: Friday, October 28, 2005 11:27 AM To: '[EMAIL PROTECTED]' Subject: FIX: Session lost from HTTPS to HTTP and Redirect warning from IE   I had some problems when a session was created in HTTPS and user went to HTTP.   There are security issues with this, however, if you want this functionality to work, I attached a patch (I appologize for the CVS Keyword expansion) for the changes which include:   Changed variable names from enum to enumeration in SecureRequestUtils for JDK 1.5 compatibility. Added a class SecureSessionFilter that will add a session cookie with the session ID when switching from HTTPS to HTTP if the user's session was not used from a cookie.  This resolves the problem when a session is created in HTTPS and the user tries to navigate to HTTP the session is lost.  The work around before this filter was to put the session ID on all URLS which has other consequences.  To use this feature the addSessionHttp property must be true. Added the ability to switch from HTTPS to HTTP with a client-side redirect instead of a 302 redirect.  This solved the problem with Internet Explorer complaining the data submitted using a secure page was sent to an insecure page.     For the above changes I added two configuration parameters to the SecurePlugInInterface:   addSessionHttp – This boolean value must be set to true for the system to add the session ID to the URL when going from HTTPS to HTTP.  The default is true. httpRedirectPage – This is a JSP page in the webapp that the system will redirect the user to when we need a redirect from HTTPS to HTTP and we don't want the nag screen.     Sample struts-config.xml fragment:       <plug-in className="org.apache.struts.action.SecurePlugIn">         <set-property property="httpPort" value="80"/>         <set-property property="httpsPort" value="443"/>         <set-property property="enable" value="true"/>         <set-property property="addSession" value="false"/>         <set-property property="addSessionHttp" value="true"/>         <set-property property="httpRedirectPage" value="/redirect.jsp"/>     </plug-in>     Sample web.xml fragment for filter:       <filter>         <filter-name>SessionProtocolFilter</filter-name>         <filter-class>org.apache.struts.util.SecureSessionFilter</filter-class>     </filter>       <filter-mapping>         <filter-name>SessionProtocolFilter</filter-name>         <url-pattern>/*</url-pattern>     </filter-mapping>     Sample HTTP Redirect Page:   <%@ page import="org.apache.struts.action.SecurePlugInInterface"%> <%@ page contentType="text/html;charset=UTF-8" language="java" %>   <html>     <head>     <script language="_javascript_" type="text/_javascript_">     <!--window.location.replace("<%=request.getAttribute(SecurePlugInInterface.SSLEXT_REDIRECT_URL) %>");     // -->     </script>       <title>Please wait...</title>     <meta http-equiv="Refresh" content="0; url="" %>">   </head>     <body>     If you are seeing this page, your browser settings prevent you     from automatically redirecting to a new URL.     <p>     Please <a href="" %>">click here</a> to continue.   </body>   </html>   Let me know if you have any questions.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]