hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Becke <be...@u.washington.edu>
Subject Re: Cookie Visibility Problem from https to http
Date Wed, 21 Apr 2004 02:07:32 GMT
Hi Victor,

My guess is that the "secure" flag is being set on this cookie.  This 
flag means that the cookie should only be sent over secure(HTTPS) 
connections.  You can get around this problem by manually adding a new 
cookie (HttpState.addCookie()) with the same values, but setting secure 
to false.  The problem here is that the cookie is set to secure for a 
reason.  My guess is that this cookie contains a session ID that if 
sniffed could be used to gain access to the server as the authenticated 
user.  This may or may not be a concern in your situation.

Mike

On Apr 20, 2004, at 7:07 PM, Jean, Victor [IT] wrote:

> Hello,
>
> I'm having an issue where a cookie set by posting to a https:// link 
> is not being recognized/picked up when i make a http:// call.
>
> I'm using HttpClient and PostMethod to send username/password to be 
> authenticated at the https link.  Once authenticated, a cookie is set 
> by the server and then I make a http call using GetMethod to access 
> the link I need.  However, the http call does not pickup the cookie 
> and I get redirected to authenticate again.  If I make a https get 
> call after the cookie is set, the link works fine in detecting the 
> cookie, the problem is with http calls.  Can someone help by telling 
> me how to make the cookie visible to http when it has been set by 
> https?
>
> Below is my sample code:
>
> 	 //Setup the httpclient
> 	 HttpClient client = new HttpClient();
> 	 client.setTimeout(TIMEOUT);
> 	 client.getState().setCookiePolicy(CookiePolicy.COMPATIBILITY);
>
> 	 Protocol.registerProtocol("https", new Protocol("https",
> 					new EasySSLProtocolSocketFactory(), 443));
>
> 	 String authenticationURL = "https://somelink";
>
>         //Post the username/password to the authentication URL
>         PostMethod postUserPasswod = new PostMethod(authenticationURL);
>         postUserPasswod.setFollowRedirects(true);
>         postUserPasswod.addParameter("USER",username);
>         postUserPasswod.addParameter("PASSWORD",password);
>
>
>         //Execute the Post, If Successful a authentication cookie will 
> be set
>         //Then continue executing the request
>
>         client.executeMethod(postUserPasswod);
>
>
> 	  GetMethod requestURL = new GetMethod("http://somelink/test.html");
> 	  client.executeMethod(requestURL );
> 	  ins = new BufferedInputStream(requestURL 
> .getResponseBodyAsStream());
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: 
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: 
> commons-httpclient-dev-help@jakarta.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message