Another weird behaviour I just discovered is the following:
If a httpsession is created by a servlet processing a request sent under(scheme) http, then redirects to https, the session is available to the servlet processing in https. In other words, it stays put.
HOWEVER, if a httpsession is created by a servlet processing a request under https, and then redirects to http, the session is not available. But if one redirects back to https agin, the session is available.
Also, if you , after redirecting to http(where no session is to be found) create a new session, and then redirect back to https, the original session is lost and the new session created in http scheme is the current one.
In tomcat3.3, session created in either schemes(http or https) "stays put" when redirecting.
I haven't found anything in the servlet specification that
mentiones anything about this behaviour.
From: "Henrik Bentel" <[EMAIL PROTECTED]>
Reply-To: "Tomcat Users List" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: problem with session tracking and redirection http<---> https
Date: Thu, 17 Oct 2002 04:45:21 +0000
ok, I see your point.
My approach is that I only use https to scramble the login request itself, so that a login password cannot be read,or sniffed, in clear text(it probably still can, if someone really, really tries). Nothing critical is stored in the http session itself.
A lot of websites do something similar, where only the password part is secure, and subsequent pages are insecure. and to change password, the old one has to be entered. I guess I'm a bit of a loss for a better way to do this?? Any well known approaches out there?
-Henrik
From: Jacob Kjome <[EMAIL PROTECTED]>
Reply-To: "Tomcat Users List" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Subject: Re: problem with session tracking and redirection http<---> https Date: Wed, 16 Oct 2002 23:33:41 -0500
This is the way Tomcat 4.x.x is made to work. The reason for this is security. I think it can be assumed that you were under https for a reason. Maybe you entered your cedit card info and are storing that in the session until the final submit. Now, if you stayed in the same session when moving to http from https, your session id is in plain text. This can be hijacked by anyone sniffing network packets. Once they have your session id, theoreticaly, they have full access to everything you entered in that session including your credit card info. This is a *huge* security issue and Tomcat. Even if Tomcat-3.3.x allows you to do this, you would be wise to dump the session on your own before moving to http for your users' security.
Obviously, this requires that you rethink some of your application flow, but Tomcat-4.x.x is doing the right thing here.
Jake
At 02:28 AM 10/17/2002 +0000, you wrote:
Help!
I recently tried to upgrade my version of Tomcat from 3.3 to 4.1(I also tried 4.0). My problem is that for some reason the httpsession is lost after redirection from https to http. I run apache in front of tomcat to handle static content plus certificate. My webapp depend on the ability to login a user of secure connection then redirect to an unsecure connection. I do the usual
res.sendRedirect(res.encodeRedirectURL.....)). But after redirecting to http protocol (to the same webapp context) the http session is null.
My webapp workes fine in Tomcat 3.3. Nothing has changed except tomcat version and of course the tomcat conf. files. I've tried both the Coyote connector and the ajp13 one. mod_jk and mod_jk2(which I couldn't get working) on the apache side. I've tried Apache 1.3 and Apache 2. And I am going insane.
My server.xml file is close to the default one, I've only added my context(defining docbase and such). For 3.3 this worked like a charm.
Anyone??
-Henrik
_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
--
To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
_________________________________________________________________
Unlimited Internet access for only $21.95/month. Try MSN! http://resourcecenter.msn.com/access/plans/2monthsfree.asp
--
To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
_________________________________________________________________
Get a speedy connection with MSN Broadband. Join now! http://resourcecenter.msn.com/access/plans/freeactivation.asp
--
To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
