tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maninder S Batth <anywherei...@netscape.net>
Subject Re: problem with session tracking and redirection http<---> https
Date Sat, 19 Oct 2002 00:46:33 GMT
This is what i did:
1. use makes https request to tomcat for a jsp page , the jsp page 
creates a session and adds a variable into session.
This jsp page has hyerlink to another ShowVar.jsp but the hyperlink uses 
http protocol..
2. i click on the link and ShowVar.jsp displays me the session variable 
which was created by https jsp.
The first file is called PutVar.jsp . It works fine. I am including both 
the files.


Henrik Bentel wrote:

>
>
> yeah, I always encode the redirection URL.
> it's waird that it works if the session is created which under http, 
> but not under https.
>
> bug maybe?
>
>
>> From: Maninder S Batth <anywhereinfo@netscape.net>
>> Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>> To: tomcat-user@jakarta.apache.org
>> Subject: Re: problem with session tracking and redirection http<---> 
>> https
>> Date: Fri, 18 Oct 2002 14:13:40 -0700
>>
>> is the request method changing in redirection, for example post to 
>> get ?? if it is, use HttpServletResponse.encodeURL()
>>
>> Henrik Bentel wrote:
>>
>>>
>>> Another weird behaviour I just discovered is the following:
>>>
>>> If a httpsession is created by a servlet processing a request sent 
>>> under(scheme) http, then redirects to https, the session is 
>>> available to the servlet processing in https. In other words, it 
>>> stays put.
>>>
>>> HOWEVER, if a httpsession is created by a servlet processing a 
>>> request under https, and then redirects to http, the session is not 
>>> available. But if one redirects back to https agin, the session is 
>>> available.
>>> Also, if you , after redirecting to http(where no session is to be 
>>> found) create a new session, and then redirect  back to https, the 
>>> original session is lost and the new session created in http scheme 
>>> is the current one.
>>>
>>> In tomcat3.3, session created in either schemes(http or https) 
>>> "stays put" when redirecting.
>>> I haven't found anything in the servlet specification that
>>> mentiones anything about this behaviour.
>>>
>>>
>>>
>>>
>>>
>>>> From: "Henrik Bentel" <henrik_bentel@hotmail.com>
>>>> Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>>>> To: tomcat-user@jakarta.apache.org
>>>> Subject: Re: problem with session tracking and redirection 
>>>> http<---> https
>>>> Date: Thu, 17 Oct 2002 04:45:21 +0000
>>>>
>>>>
>>>> ok, I see your point.
>>>> My approach is that I only use https to scramble the login request 
>>>> itself, so that a login password cannot be read,or sniffed, in 
>>>> clear text(it probably still can, if someone really, really tries). 
>>>> Nothing critical is stored in the http session itself.
>>>> A lot of websites do something similar, where only the password 
>>>> part is secure, and subsequent pages are insecure. and to change 
>>>> password, the old one has to be entered. I guess I'm a bit of a 
>>>> loss for a better way to do this?? Any well known approaches out 
>>>> there?
>>>>
>>>>
>>>> -Henrik
>>>>
>>>>> From: Jacob Kjome <hoju@visi.com>
>>>>> Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>>>>> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>>>>> Subject: Re: problem with session tracking and redirection 
>>>>> http<--->  https Date: Wed, 16 Oct 2002 23:33:41 -0500
>>>>>
>>>>>
>>>>> This is the way Tomcat 4.x.x is made to work.  The reason for this 
>>>>> is security.  I think it can be assumed that you were under https 
>>>>> for a reason.  Maybe you entered your cedit card info and are 
>>>>> storing that in the session until the final submit.  Now, if you 
>>>>> stayed in the same session when moving to http from https, your 
>>>>> session id is in plain text.  This can be hijacked by anyone 
>>>>> sniffing network packets.  Once they have your session id, 
>>>>> theoreticaly, they have full access to everything you entered in 
>>>>> that session including your credit card info.  This is a *huge* 
>>>>> security issue and Tomcat.  Even if Tomcat-3.3.x allows you to do 
>>>>> this, you would be wise to dump the session on your own before 
>>>>> moving to http for your users' security.
>>>>>
>>>>> Obviously, this requires that you rethink some of your application 
>>>>> flow, but Tomcat-4.x.x is doing the right thing here.
>>>>>
>>>>> Jake
>>>>>
>>>>> At 02:28 AM 10/17/2002 +0000, you wrote:
>>>>>
>>>>>> Help!
>>>>>>
>>>>>> I recently tried to upgrade my version of Tomcat from 3.3 to 
>>>>>> 4.1(I also tried 4.0). My problem is that for some reason the 
>>>>>> httpsession is lost after redirection from https to http. I run 
>>>>>> apache in front of tomcat to handle static content plus 
>>>>>> certificate. My webapp depend on the ability to login a user of 
>>>>>> secure connection then redirect to an unsecure connection. I do 
>>>>>> the usual
>>>>>> res.sendRedirect(res.encodeRedirectURL.....)). But after 
>>>>>> redirecting to http protocol (to the same webapp context) the 
>>>>>> http session is null.
>>>>>> My webapp workes fine in Tomcat 3.3. Nothing has changed except 
>>>>>> tomcat version and of course the tomcat conf. files. I've tried 
>>>>>> both the Coyote connector and the ajp13 one. mod_jk and 
>>>>>> mod_jk2(which I couldn't get working) on the apache side. I've 
>>>>>> tried Apache 1.3 and Apache 2. And I am going insane.
>>>>>> My server.xml file is close to the default one, I've only added 
>>>>>> my context(defining docbase and such). For 3.3 this worked like a

>>>>>> charm.
>>>>>> Anyone??
>>>>>>
>>>>>> -Henrik
>>>>>>
>>>>>>
>>>>>> _________________________________________________________________
>>>>>> Protect your PC - get McAfee.com VirusScan Online 
>>>>>> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> To unsubscribe, e-mail:   
>>>>>> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>>>>>> For additional commands, e-mail: 
>>>>>> <mailto:tomcat-user-help@jakarta.apache.org>
>>>>>
>>>>>
>>>>
>>>>
>>>> _________________________________________________________________
>>>> Unlimited Internet access for only $21.95/month.  Try MSN! 
>>>> http://resourcecenter.msn.com/access/plans/2monthsfree.asp
>>>>
>>>>
>>>> -- 
>>>> To unsubscribe, e-mail:   
>>>> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>>>> For additional commands, e-mail: 
>>>> <mailto:tomcat-user-help@jakarta.apache.org>
>>>
>>>
>>>
>>>
>>> _________________________________________________________________
>>> Get a speedy connection with MSN Broadband.  Join now! 
>>> http://resourcecenter.msn.com/access/plans/freeactivation.asp
>>>
>>>
>>> -- 
>>> To unsubscribe, e-mail:   
>>> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>>> For additional commands, e-mail: 
>>> <mailto:tomcat-user-help@jakarta.apache.org>
>>>
>>
>> -- 
>> Your favorite stores, helpful shopping tools and great gift ideas. 
>> Experience the convenience of buying online with Shop@Netscape! 
>> http://shopnow.netscape.com/
>>
>>
>>
>> -- 
>> To unsubscribe, e-mail:   
>> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>> For additional commands, e-mail: 
>> <mailto:tomcat-user-help@jakarta.apache.org>
>
>
>
> _________________________________________________________________
> Get a speedy connection with MSN Broadband.  Join now! 
> http://resourcecenter.msn.com/access/plans/freeactivation.asp
>
>
> -- 
> To unsubscribe, e-mail:   
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: 
> <mailto:tomcat-user-help@jakarta.apache.org>
>

-- 
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop@Netscape! 
http://shopnow.netscape.com/


Mime
View raw message