tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sundar Chakravarthy" <>
Subject RE: passing a session from non-SSL to SSL
Date Mon, 07 Oct 2002 14:30:58 GMT


Does this mean I have to use pure https
for my webapp ? Isnt there a preformance
hit with pure- SSL ? 

I thought after I login user using SSL I could
switch to non-SSL for rest of the content.
This seems to be a real bottleneck.

Any options ? 


-----Original Message-----
From: Milt Epstein []
Sent: Saturday, September 07, 2002 11:33 PM
To: Tomcat Users List
Subject: Re: passing a session from non-SSL to SSL

On Fri, 6 Sep 2002, Joshua Szmajda wrote:

> Hi all,
>     I'm upgrading an application from Tomcat 3.2 to Tomcat 4.0, and
> I'm noticing that my application is now losing track of its sessions
> when I switch from non-SSL to SSL. The code worked fine in Tomcat
> 3.2.. I was wondering if there's something I'm missing. My
> server.xml has a single Ajp13 connector and a plain vanilla host /
> context configuration. I've JKMount'ed /* to ajp13 in apache on both
> the normal and SSL virtual hosts.
>     I'm sure it's something in the spec that's changed, but I can't
> for the life of me find out what. Changing the code is possible, but
> preferably avoidable as I didn't write it.

It's well known that Tomcat does not preserve sessions when switching
from SSL to non-SSL (and/or vice-versa).  Don't know about earlier
versions, but that's true of the current version.  You can check the
archives to see where others have brought this up.

I don't think this is a spec issue, so I guess either it was an
implementation choice by the Tomcat developers or perhaps there's no
way (or no easy way) around it.  If it was an implementation choice, I
don't know what it was based on.  I believe there are other servlet
containers that you can set up so that such switching does not lose
sessions.  I'm not sure of all the technical issues involved.

Also note that some will say that it doesn't make sense to switch back
and forth between SSL and non-SSL because security is compromised.

Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message