Re: Moving from http to https doesnt expire session
If you start a session under http, Tomcat will maintain the session into
https. This is the desired behavior for most users. Most e-commerce
sites use shopping cart models and don't switch to https until you
want to check out. If the session was changed on the transition, you
would lose the shopping cart contents just as it was time to pay. Also,
maintaining the session from http to https does not create a security
hazard.
Tomcat does not permit a session to be maintained across a https to http
transition for security reasons.
To force a session to expire when moving from http to https...
For https pages, at the top of your servlet/jsp, where request is the
HttpServletRequest object. Insert...
if (!request.isSecure() ) // not needed if page is a secure resource
{code to redirect back to the same page under https}
// get the browser's cookies
Cookie[] cookies = request.getCookies();
if (cookies==null)
{code to tell user to enable cookies}
// check session
HttpSession session = request.getSession(false);
if (session!=null) {
// Find the JSESSIONID cookie
for (int i=0; icookies.length; i++) {
if (JSESSIONID.equals(cookies[i].getName() ) ) {
if (!cookies[i].getsecure() ) {
// invalidate non-secure session
session().invalidate();
// see below Note 1.
break;
} // if cookie[]
} // if found cookie
} // for i
} // if session
session = request.getSession(true);
Note 1. At this spot in my servlet, I have code to redirect back to the
sevlet under https. It shouldn't be required, but I may have suspected
that session.invalidate() immediately followed by a
request.getSession(true) didn't work.
Hope this helps.
Bob Feretich
Subject: Moving from http to https doesnt expire session
From:Fabian Pena [EMAIL PROTECTED]
Date:Mon, 02 May 2005 09:54:29 -0300
To:tomcat-user@jakarta.apache.org
hi all
I have a simple question, at least I think that.
I am developing an applicatin that contains confidential information,
and I'm having a simple problem.
when a user move from http to https de session doesnt expire, the
jsessionid is the same.
I want generate a new session and of course change de jsessionid in the
first https request.
Any one can help me.
Thanks in advance
Fabian
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Moving from http to https doesnt expire session
Thank Bob.
Yes, I think an invalidate and then a request.getSession(true) doesn't work.
Do you know if there are some other options, or a tomcat setting to do this?
The only solution that i found at this moment, was set a diferent domain
name for http and https.
As you see, me english is not good.
greetings
Fabian
Bob Feretich wrote:
If you start a session under http, Tomcat will maintain the session into
https. This is the desired behavior for most users. Most e-commerce
sites use shopping cart models and don't switch to https until you
want to check out. If the session was changed on the transition, you
would lose the shopping cart contents just as it was time to pay. Also,
maintaining the session from http to https does not create a security
hazard.
Tomcat does not permit a session to be maintained across a https to http
transition for security reasons.
To force a session to expire when moving from http to https...
For https pages, at the top of your servlet/jsp, where request is the
HttpServletRequest object. Insert...
if (!request.isSecure() ) // not needed if page is a secure resource
{code to redirect back to the same page under https}
// get the browser's cookies
Cookie[] cookies = request.getCookies();
if (cookies==null)
{code to tell user to enable cookies}
// check session
HttpSession session = request.getSession(false);
if (session!=null) {
// Find the JSESSIONID cookie
for (int i=0; icookies.length; i++) {
if (JSESSIONID.equals(cookies[i].getName() ) ) {
if (!cookies[i].getsecure() ) {
// invalidate non-secure session
session().invalidate();
// see below Note 1.
break;
} // if cookie[]
} // if found cookie
} // for i
} // if session
session = request.getSession(true);
Note 1. At this spot in my servlet, I have code to redirect back to the
sevlet under https. It shouldn't be required, but I may have suspected
that session.invalidate() immediately followed by a
request.getSession(true) didn't work.
Hope this helps.
Bob Feretich
Subject: Moving from http to https doesnt expire session
From:Fabian Pena [EMAIL PROTECTED]
Date:Mon, 02 May 2005 09:54:29 -0300
To:tomcat-user@jakarta.apache.org
hi all
I have a simple question, at least I think that.
I am developing an applicatin that contains confidential information,
and I'm having a simple problem.
when a user move from http to https de session doesnt expire, the
jsessionid is the same.
I want generate a new session and of course change de jsessionid in the
first https request.
Any one can help me.
Thanks in advance
Fabian
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Moving from http to https doesnt expire session
hi all I have a simple question, at least I think that. I am developing an applicatin that contains confidential information, and I'm having a simple problem. when a user move from http to https de session doesnt expire, the jsessionid is the same. I want generate a new session and of course change de jsessionid in the first https request. Any one can help me. Thanks in advance Fabian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
