tomcat webapp How to switch to https and back to http without spring security

Question

Using Tomcat 7.0.32, we have a login page, that by default, the user comes to through http. we immediately redirect the user to use https.
Goal : After user enters the credentials, we want to redirect the user to the Home page using http.

I understand the security risks -- man in the middle, session hijacking, etc.

I can't use spring security -- it's too late in the game -- release is coming shortly and https performance sucks.

Also, our app has a "change password" usecase -- the user accesses "changepassword.jsp" from a menu in the home page, I guess I should redirect the user to "changepassword.jsp" using https. After password change is confirmed, then redirect user back again to homepage using http. Thoughts ?

How to go about doing it -- is there any sample code available ?

UPDATE 1 : I've read about the issue from
1) http://tomcat.10.n6.nabble.com/Session-lost-when-switching-from-https-to-http-after-upgrade-to-Tomcat-6-td2105781.html
2) http://tomcat.10.n6.nabble.com/how-to-auto-redirect-to-https-from-http-td2087325.html

Code from https://forums.oracle.com/forums/thread.jspa?threadID=1394970 (Cabir)

What gotchas should I expect ?

Answer 1

You say "I know Spring Security can do it", but in fact Spring Security doesn't do anything special. It just performs a redirect to HTTPS, which you are doing yourself. If you create a session with a secure cookie, and then switch back to HTTP, you will lose the session. This is explained in the Spring Security FAQ. As it explains, if you create a session before you redirect to HTTPS, then the session cookie will not be flagged as secure and will be passed over both HTTP and HTTPS, maintaining the session throughout.

The only other option that I can think of would be using mod_headers or its equivalent to modify the Set-Cookie header and remove the Secure flag if it is present. here's an example which does the opposite, adding the flag to all cookies.

As an aside, have you tried performance tuning your site with HTTPS? You should really be using it throughout your app if there is any real value in your content and user accounts.