hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Becke <be...@u.washington.edu>
Subject Re: Cookie Visibility Problem from https to http
Date Wed, 21 Apr 2004 17:09:49 GMT
Hi Victor,

That's the only thing that comes to mind immediately.  Please post the 
wire log <http://jakarta.apache.org/commons/httpclient/logging.html> of 
both the requests, and we should be able to figure it out.  Feel free 
to obfuscate any sensitive information in the logs.

Mike

On Apr 21, 2004, at 12:56 PM, Jean, Victor [IT] wrote:

> Hi Mike,
>
> Thanks for your response.  I printed out the list of cookies set in 
> HttpState and found that all the cookie's secure flags are set to 
> false.  I also tried adding the same cookie name/value/domain/path 
> with the false secure flag without any success.  The http call does 
> not seem to see the cookie.  Can you think of any other reasons why 
> the cookie is not visible ?
>
> -----Original Message-----
> From: Michael Becke [mailto:becke@u.washington.edu]
> Sent: Tuesday, April 20, 2004 10:08 PM
> To: Commons HttpClient Project
> Subject: Re: Cookie Visibility Problem from https to http
>
>
> Hi Victor,
>
> My guess is that the "secure" flag is being set on this cookie.  This
> flag means that the cookie should only be sent over secure(HTTPS)
> connections.  You can get around this problem by manually adding a new
> cookie (HttpState.addCookie()) with the same values, but setting secure
> to false.  The problem here is that the cookie is set to secure for a
> reason.  My guess is that this cookie contains a session ID that if
> sniffed could be used to gain access to the server as the authenticated
> user.  This may or may not be a concern in your situation.
>
> Mike
>
> On Apr 20, 2004, at 7:07 PM, Jean, Victor [IT] wrote:
>
>> Hello,
>>
>> I'm having an issue where a cookie set by posting to a https:// link
>> is not being recognized/picked up when i make a http:// call.
>>
>> I'm using HttpClient and PostMethod to send username/password to be
>> authenticated at the https link.  Once authenticated, a cookie is set
>> by the server and then I make a http call using GetMethod to access
>> the link I need.  However, the http call does not pickup the cookie
>> and I get redirected to authenticate again.  If I make a https get
>> call after the cookie is set, the link works fine in detecting the
>> cookie, the problem is with http calls.  Can someone help by telling
>> me how to make the cookie visible to http when it has been set by
>> https?
>>
>> Below is my sample code:
>>
>> 	 //Setup the httpclient
>> 	 HttpClient client = new HttpClient();
>> 	 client.setTimeout(TIMEOUT);
>> 	 client.getState().setCookiePolicy(CookiePolicy.COMPATIBILITY);
>>
>> 	 Protocol.registerProtocol("https", new Protocol("https",
>> 					new EasySSLProtocolSocketFactory(), 443));
>>
>> 	 String authenticationURL = "https://somelink";
>>
>>         //Post the username/password to the authentication URL
>>         PostMethod postUserPasswod = new 
>> PostMethod(authenticationURL);
>>         postUserPasswod.setFollowRedirects(true);
>>         postUserPasswod.addParameter("USER",username);
>>         postUserPasswod.addParameter("PASSWORD",password);
>>
>>
>>         //Execute the Post, If Successful a authentication cookie will
>> be set
>>         //Then continue executing the request
>>
>>         client.executeMethod(postUserPasswod);
>>
>>
>> 	  GetMethod requestURL = new GetMethod("http://somelink/test.html");
>> 	  client.executeMethod(requestURL );
>> 	  ins = new BufferedInputStream(requestURL
>> .getResponseBodyAsStream());
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> commons-httpclient-dev-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail:
>> commons-httpclient-dev-help@jakarta.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: 
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: 
> commons-httpclient-dev-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: 
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: 
> commons-httpclient-dev-help@jakarta.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message