----- Original Message -----
From: "Johnny Kewl" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Tuesday, June 10, 2008 3:19 AM
Subject: Re: Session lost when switching from https to http after upgrade to
Tomcat 6
----- Original Message -----
From: "Bill Davidson" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Monday, June 09, 2008 7:17 PM
Subject: Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Johnny Kewl wrote:
Bill... Just lose the FORM authentication, replace it with DIGEST, or
even BASIC.... I think all your problems will go away.
I'm not exactly sure what you're saying. Are you saying that I shouldn't
be
authenticating through a form?
Yes... Just because all your problems seem related to cookies, and FORM
authentication relies on cookies.
Also because I have no idea how to tell tomcat when creating the session
to lose that secure attribute, I guess one has to override a class
somewhere, and
that probably just a good indication (these TC designers are guru gods, as
clever as hell ;) that maybe moving from HTTPs to HTTP is just a bad idea.
Then I started thinking about say DIGEST/BASIC authentication which does
not work on a cookie, its going to have its own authentication headers and
I think the browser will return those even when moving from HTTPs to
HTTP... so now with FORM replaced with DIGEST say... its all legal.
And its is actually safe... it would drop the session, and make a new
one... and for the most webapps (that are not using cookies in security)
thats no problem, cookies are free ;)
So (if I'm right) FORM auth when moving from HTTPs to HTTP is bad news and
requires a kludge, ie overriding secure cookies... and even though thats
clever, it is a security hole... a hacker gets that cookie, they in.
But... DIGEST would allow the same thing, no kludge and would be safe.
Thats kinda interesting... or maybe I'm just bored ;)
I dont like the idea of "fixing" it... thats all.
Heres a better way of saying it....
When a webapp moves from HTTPs to HTTP... the sessions must get a bad case
of amnesia.
Thats what the security is doing.
If DIGEST is used... it will still work (I think) even though the webapp has
a bad case of amnesia.
ie the Webapp will just start remembering state from the change over.
ok I am bored ;)
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
