tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: AW: AW: sessions, security, and the RFCs
Date Tue, 02 Apr 2002 16:47:05 GMT


On Tue, 2 Apr 2002, Ralph Einfeldt wrote:

> Date: Tue, 2 Apr 2002 09:40:48 +0200
> From: Ralph Einfeldt <ralph.einfeldt@uptime-isc.de>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Subject: AW: AW: sessions, security, and the RFCs
>
> As I understand it, the spec doesn't say much about the
> session bahaviour in this scenario.
>

Servlet 2.2 (basis for Tomcat 3.x) said almost nothing about this, so you
cannot count on any portability.

Servlet 2.3 (basis for Tomcat 4.x) added some specific requirements (such
as the ability to redirect from the non-SSL port to the SSL port and
maintain the session).

Note -- anyone who goes from the SSL port back to the non-SSL port has
just created a security hole.  I strongly urge you to add code to your
applications that prevents this from ever happening (even manually by the
user), by not accepting any non-SSL requests for a session once you've
accepted an SSL request for it (and stored sensitive information in the
session attributes).

Craig


> So it's quite legal that different containers implement
> opposite behaviours for the switch between http and https.
>
> It would be nice to hear what one of the gurus has to say
> about this topic ?
>
> > -----Ursprungliche Nachricht-----
> > Von: Manuel Mall [mailto:MM@arcus.com.au]
> > Gesendet: Donnerstag, 28. Marz 2002 06:53
> > An: 'Tomcat Users List'
> > Betreff: RE: AW: sessions, security, and the RFCs
> <snip/>
> > Why does Tomcat 4 implement a different session behaviour
> > than Tomcat 3.3 if they are both based on essentially the
> > same specification?
> <snip/>
>
> --
> To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
> Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>
>
>


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message