Re: Moving from http to https doesnt expire session
If you start a session under http, Tomcat will maintain the session into https. This is the desired behavior for most users. Most e-commerce sites use shopping cart models and don't switch to https until you want to check out. If the session was changed on the transition, you would lose the shopping cart contents just as it was time to pay. Also, maintaining the session from http to https does not create a security hazard. Tomcat does not permit a session to be maintained across a https to http transition for security reasons. To force a session to expire when moving from http to https... For https pages, at the top of your servlet/jsp, where request is the HttpServletRequest object. Insert... if (!request.isSecure() ) // not needed if page is a secure resource {code to redirect back to the same page under https} // get the browser's cookies Cookie[] cookies = request.getCookies(); if (cookies==null) {code to tell user to enable cookies} // check session HttpSession session = request.getSession(false); if (session!=null) { // Find the JSESSIONID cookie for (int i=0; icookies.length; i++) { if (JSESSIONID.equals(cookies[i].getName() ) ) { if (!cookies[i].getsecure() ) { // invalidate non-secure session session().invalidate(); // see below Note 1. break; } // if cookie[] } // if found cookie } // for i } // if session session = request.getSession(true); Note 1. At this spot in my servlet, I have code to redirect back to the sevlet under https. It shouldn't be required, but I may have suspected that session.invalidate() immediately followed by a request.getSession(true) didn't work. Hope this helps. Bob Feretich Subject: Moving from http to https doesnt expire session From:Fabian Pena [EMAIL PROTECTED] Date:Mon, 02 May 2005 09:54:29 -0300 To:tomcat-user@jakarta.apache.org hi all I have a simple question, at least I think that. I am developing an applicatin that contains confidential information, and I'm having a simple problem. when a user move from http to https de session doesnt expire, the jsessionid is the same. I want generate a new session and of course change de jsessionid in the first https request. Any one can help me. Thanks in advance Fabian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Moving from http to https doesnt expire session
Thank Bob. Yes, I think an invalidate and then a request.getSession(true) doesn't work. Do you know if there are some other options, or a tomcat setting to do this? The only solution that i found at this moment, was set a diferent domain name for http and https. As you see, me english is not good. greetings Fabian Bob Feretich wrote: If you start a session under http, Tomcat will maintain the session into https. This is the desired behavior for most users. Most e-commerce sites use shopping cart models and don't switch to https until you want to check out. If the session was changed on the transition, you would lose the shopping cart contents just as it was time to pay. Also, maintaining the session from http to https does not create a security hazard. Tomcat does not permit a session to be maintained across a https to http transition for security reasons. To force a session to expire when moving from http to https... For https pages, at the top of your servlet/jsp, where request is the HttpServletRequest object. Insert... if (!request.isSecure() ) // not needed if page is a secure resource {code to redirect back to the same page under https} // get the browser's cookies Cookie[] cookies = request.getCookies(); if (cookies==null) {code to tell user to enable cookies} // check session HttpSession session = request.getSession(false); if (session!=null) { // Find the JSESSIONID cookie for (int i=0; icookies.length; i++) { if (JSESSIONID.equals(cookies[i].getName() ) ) { if (!cookies[i].getsecure() ) { // invalidate non-secure session session().invalidate(); // see below Note 1. break; } // if cookie[] } // if found cookie } // for i } // if session session = request.getSession(true); Note 1. At this spot in my servlet, I have code to redirect back to the sevlet under https. It shouldn't be required, but I may have suspected that session.invalidate() immediately followed by a request.getSession(true) didn't work. Hope this helps. Bob Feretich Subject: Moving from http to https doesnt expire session From:Fabian Pena [EMAIL PROTECTED] Date:Mon, 02 May 2005 09:54:29 -0300 To:tomcat-user@jakarta.apache.org hi all I have a simple question, at least I think that. I am developing an applicatin that contains confidential information, and I'm having a simple problem. when a user move from http to https de session doesnt expire, the jsessionid is the same. I want generate a new session and of course change de jsessionid in the first https request. Any one can help me. Thanks in advance Fabian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Moving from http to https doesnt expire session
hi all I have a simple question, at least I think that. I am developing an applicatin that contains confidential information, and I'm having a simple problem. when a user move from http to https de session doesnt expire, the jsessionid is the same. I want generate a new session and of course change de jsessionid in the first https request. Any one can help me. Thanks in advance Fabian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]