tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maninder S Batth <anywherei...@netscape.net>
Subject Re: problem with session tracking and redirection http<---> https
Date Fri, 18 Oct 2002 21:13:40 GMT
is the request method changing in redirection, for example post to get 
?? if it is, use HttpServletResponse.encodeURL()

Henrik Bentel wrote:

>
> Another weird behaviour I just discovered is the following:
>
> If a httpsession is created by a servlet processing a request sent 
> under(scheme) http, then redirects to https, the session is available 
> to the servlet processing in https. In other words, it stays put.
>
> HOWEVER, if a httpsession is created by a servlet processing a request 
> under https, and then redirects to http, the session is not available. 
> But if one redirects back to https agin, the session is available.
> Also, if you , after redirecting to http(where no session is to be 
> found) create a new session, and then redirect  back to https, the 
> original session is lost and the new session created in http scheme is 
> the current one.
>
> In tomcat3.3, session created in either schemes(http or https) "stays 
> put" when redirecting.
> I haven't found anything in the servlet specification that
> mentiones anything about this behaviour.
>
>
>
>
>
>> From: "Henrik Bentel" <henrik_bentel@hotmail.com>
>> Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>> To: tomcat-user@jakarta.apache.org
>> Subject: Re: problem with session tracking and redirection http<---> 
>> https
>> Date: Thu, 17 Oct 2002 04:45:21 +0000
>>
>>
>> ok, I see your point.
>> My approach is that I only use https to scramble the login request 
>> itself, so that a login password cannot be read,or sniffed, in clear 
>> text(it probably still can, if someone really, really tries). Nothing 
>> critical is stored in the http session itself.
>> A lot of websites do something similar, where only the password part 
>> is secure, and subsequent pages are insecure. and to change password, 
>> the old one has to be entered. I guess I'm a bit of a loss for a 
>> better way to do this?? Any well known approaches out there?
>>
>>
>> -Henrik
>>
>>> From: Jacob Kjome <hoju@visi.com>
>>> Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>>> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>>> Subject: Re: problem with session tracking and redirection 
>>> http<--->  https Date: Wed, 16 Oct 2002 23:33:41 -0500
>>>
>>>
>>> This is the way Tomcat 4.x.x is made to work.  The reason for this 
>>> is security.  I think it can be assumed that you were under https 
>>> for a reason.  Maybe you entered your cedit card info and are 
>>> storing that in the session until the final submit.  Now, if you 
>>> stayed in the same session when moving to http from https, your 
>>> session id is in plain text.  This can be hijacked by anyone 
>>> sniffing network packets.  Once they have your session id, 
>>> theoreticaly, they have full access to everything you entered in 
>>> that session including your credit card info.  This is a *huge* 
>>> security issue and Tomcat.  Even if Tomcat-3.3.x allows you to do 
>>> this, you would be wise to dump the session on your own before 
>>> moving to http for your users' security.
>>>
>>> Obviously, this requires that you rethink some of your application 
>>> flow, but Tomcat-4.x.x is doing the right thing here.
>>>
>>> Jake
>>>
>>> At 02:28 AM 10/17/2002 +0000, you wrote:
>>>
>>>> Help!
>>>>
>>>> I recently tried to upgrade my version of Tomcat from 3.3 to 4.1(I 
>>>> also tried 4.0). My problem is that for some reason the httpsession 
>>>> is lost after redirection from https to http. I run apache in front 
>>>> of tomcat to handle static content plus certificate. My webapp 
>>>> depend on the ability to login a user of secure connection then 
>>>> redirect to an unsecure connection. I do the usual
>>>> res.sendRedirect(res.encodeRedirectURL.....)). But after 
>>>> redirecting to http protocol (to the same webapp context) the http 
>>>> session is null.
>>>> My webapp workes fine in Tomcat 3.3. Nothing has changed except 
>>>> tomcat version and of course the tomcat conf. files. I've tried 
>>>> both the Coyote connector and the ajp13 one. mod_jk and 
>>>> mod_jk2(which I couldn't get working) on the apache side. I've 
>>>> tried Apache 1.3 and Apache 2. And I am going insane.
>>>> My server.xml file is close to the default one, I've only added my 
>>>> context(defining docbase and such). For 3.3 this worked like a charm.
>>>> Anyone??
>>>>
>>>> -Henrik
>>>>
>>>>
>>>> _________________________________________________________________
>>>> Protect your PC - get McAfee.com VirusScan Online 
>>>> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>>>>
>>>>
>>>> -- 
>>>> To unsubscribe, e-mail:   
>>>> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>>>> For additional commands, e-mail: 
>>>> <mailto:tomcat-user-help@jakarta.apache.org>
>>>
>>
>>
>> _________________________________________________________________
>> Unlimited Internet access for only $21.95/month.  Try MSN! 
>> http://resourcecenter.msn.com/access/plans/2monthsfree.asp
>>
>>
>> -- 
>> To unsubscribe, e-mail:   
>> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>> For additional commands, e-mail: 
>> <mailto:tomcat-user-help@jakarta.apache.org>
>
>
>
> _________________________________________________________________
> Get a speedy connection with MSN Broadband.  Join now! 
> http://resourcecenter.msn.com/access/plans/freeactivation.asp
>
>
> -- 
> To unsubscribe, e-mail:   
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: 
> <mailto:tomcat-user-help@jakarta.apache.org>
>

-- 
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop@Netscape! 
http://shopnow.netscape.com/



--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message