Christopher Schultz wrote:
Unfortunately, this is expected behavior. If the JSESSIONID cookie is
created for the first time during an HTTPS transaction, then the cookie
will me marked as "secure", and the browser will not send it when
switching back to non-SSL HTTP.
You have two options, here:
1. Make sure that the user has a session /before/ going into SSL mode
or
2. Make everything after login use SSL
Neither choice is particularly appetizing. :(
True.
#1 is bad because I want the login servlet to be https to protect the
password and because that is the way the app has worked in the past.
I want to avoid changing the app any more than absolutely necessary.
#2 is even worse because I'd have to change a whole lot of links in a
very large app.
However today, I discovered door #3. Make the login servlet (which is
https) create and set the cookie as a non-secure cookie instead of letting
Tomcat create the JSESSIONID itself. This is a minor change to the code
and it seems to make everything work under Tomcat 6.0.16 as it did under
Tomcat 3.2.4.
You might be able to write a filter to adjust the "secure" bit on the
cookie as it goes out the door, but I can't guarantee that would work.
I'm unsure of the security implications, there, either, but I suspect
they are not too bad.
Wait, that sounds a lot like #3. :D
I didn't really do it as a filter though. The login servlet, after
verifying the
user's login and password, just creates and sets the cookie in the response
rather than letting Tomcat create the cookie. The cookie does not have
the secure flag set because the Cookie constructor doesn't set it by
default.
Thank you very much for your help.
Long term, I think we need to switch everything after the login to https
but I'm getting some resistance to that idea based upon performance
concerns. Most of the app's pages don't have sensitive data so it has
been set up to only do https on pages that can contain sensitive data.
I didn't design it. I just inherited it a few months ago. Keeping it
working
as users expect is of paramount importance so changing the way
everything is done cannot be done lightly.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
