Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Tomcat, keep session when moving from HTTPS to HTTP

Tags:

java

https

apache2

tomcat6

httpsession

I have a Java application running on Tomcat 6.0.29, with Apache 2.2.3 in front. The login page uses HTTPS, while most pages use HTTP.

If a user tries to access a page (HTTP) that is login protected, he gets redirected to the login page (HTTPS), logs in, then gets redirected back to the originally requested page. This works great, as the JSESSIONID cookie is set as non-secure, and used for both HTTP and HTTPS.

However, if the user starts at the login page (HTTPS), the JSESSIONID cookie is set as Secure, and thus the session is not available after login when redirecting to pages under HTTP, forcing a new session and redirect to login page again. This time it works though, because this time the JSESSIONID cookie is set as non-secure.

How can I avoid that users have to log in twice when they hit the login page first?

like image 492
rlovtang Avatar asked Jan 08 '11 18:01

rlovtang

1 Answers

(Update: for clarity) Starting with the login Http get/post use https and use https through out the user's logged in session.

Use Http only when there is no logged in user.

There is a reason that cookies are not allow to cross protocol boundaries - it is an attack vector! (* see update below)

How to do this very bad idea

If you really insist, encode the jsessionId in the redirect to the http url ( or always encode the jsession id in the url). When Tomcat gets the http redirect, tomcat should find the session and continue.

Why you shouldn't do this

Seriously, any site that mixes https and http content on the same page is just opening themselves to all sorts of fun (and easy) attacks.

Going from https to keep the login "secure" is pointless if the rest of the session is in cleartext. So what that the username/password (probably just the password) is protected?

Using the ever-popular man-in-the-middle attack, the attacker just copies the session id and uses that to have fun. Since most sites don't expire sessions that stay active, the MIM effectively has full access as if they had the password.

If you think https is expensive in terms of performance look here, or just search. Easiest way to improve https performance to acceptable is to make sure the server is setting keep-alive on the connection.

  • update 1: For more see Session Hijacking, or Http Cookie Theft

  • update 2: See Firesheep Firefox plugin for how to do this quick and easy.

like image 170
Pat Avatar answered Oct 05 '22 05:10

Pat
Sign in to Comment

Related questions

Simple Server Monitoring with Java [closed]
Could not create servlet in web application project (google app engine) by using eclipse
Is this (Lock-Free) Queue Implementation Thread-Safe?
How safe is my safe rethrow?
How to store object (not string) in session in play framework?
Wrong Time with System.currentTimeMillis () (Java)
JTree rendering with JCheckBox nodes
Open Source Iris Scanning Library in Java [closed]
Scala and Java Real-Time System [closed]
Why does Java's invokevirtual need to resolve the called method's compile-time class?
Can i use Spring on GAE?
Productivity research material [closed]
Which logging library to use for cross-language (Java, C++, Python) system
Catching constraint violations in JPA 2.0
Can I use multiple statements in a JDBC prepared query?
Arima/Arma Time series Models in Java [closed]
Guava concurrency tutorials/code [closed]
Dynamic JPA Connection
Is there a Java user management package similar to Django auth application?
What are the implications of using SingletonEhCacheRegionFactory vs. EhCacheRegionFactory for Hibernate 2nd-level cache in a Web Application?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!