tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henrik Bentel" <henrik_ben...@hotmail.com>
Subject Re: problem with session tracking and redirection http<---> https
Date Fri, 18 Oct 2002 23:07:17 GMT


yeah, I always encode the redirection URL.
it's waird that it works if the session is created which under http, but not 
under https.

bug maybe?


>From: Maninder S Batth <anywhereinfo@netscape.net>
>Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>To: tomcat-user@jakarta.apache.org
>Subject: Re: problem with session tracking and redirection http<---> https
>Date: Fri, 18 Oct 2002 14:13:40 -0700
>
>is the request method changing in redirection, for example post to get ?? 
>if it is, use HttpServletResponse.encodeURL()
>
>Henrik Bentel wrote:
>
>>
>>Another weird behaviour I just discovered is the following:
>>
>>If a httpsession is created by a servlet processing a request sent 
>>under(scheme) http, then redirects to https, the session is available to 
>>the servlet processing in https. In other words, it stays put.
>>
>>HOWEVER, if a httpsession is created by a servlet processing a request 
>>under https, and then redirects to http, the session is not available. But 
>>if one redirects back to https agin, the session is available.
>>Also, if you , after redirecting to http(where no session is to be found) 
>>create a new session, and then redirect  back to https, the original 
>>session is lost and the new session created in http scheme is the current 
>>one.
>>
>>In tomcat3.3, session created in either schemes(http or https) "stays put" 
>>when redirecting.
>>I haven't found anything in the servlet specification that
>>mentiones anything about this behaviour.
>>
>>
>>
>>
>>
>>>From: "Henrik Bentel" <henrik_bentel@hotmail.com>
>>>Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>>>To: tomcat-user@jakarta.apache.org
>>>Subject: Re: problem with session tracking and redirection http<---> 
>>>https
>>>Date: Thu, 17 Oct 2002 04:45:21 +0000
>>>
>>>
>>>ok, I see your point.
>>>My approach is that I only use https to scramble the login request 
>>>itself, so that a login password cannot be read,or sniffed, in clear 
>>>text(it probably still can, if someone really, really tries). Nothing 
>>>critical is stored in the http session itself.
>>>A lot of websites do something similar, where only the password part is 
>>>secure, and subsequent pages are insecure. and to change password, the 
>>>old one has to be entered. I guess I'm a bit of a loss for a better way 
>>>to do this?? Any well known approaches out there?
>>>
>>>
>>>-Henrik
>>>
>>>>From: Jacob Kjome <hoju@visi.com>
>>>>Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>>>>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>>>>Subject: Re: problem with session tracking and redirection http<--->
 
>>>>https Date: Wed, 16 Oct 2002 23:33:41 -0500
>>>>
>>>>
>>>>This is the way Tomcat 4.x.x is made to work.  The reason for this is 
>>>>security.  I think it can be assumed that you were under https for a 
>>>>reason.  Maybe you entered your cedit card info and are storing that in 
>>>>the session until the final submit.  Now, if you stayed in the same 
>>>>session when moving to http from https, your session id is in plain 
>>>>text.  This can be hijacked by anyone sniffing network packets.  Once 
>>>>they have your session id, theoreticaly, they have full access to 
>>>>everything you entered in that session including your credit card info.  
>>>>This is a *huge* security issue and Tomcat.  Even if Tomcat-3.3.x allows 
>>>>you to do this, you would be wise to dump the session on your own before 
>>>>moving to http for your users' security.
>>>>
>>>>Obviously, this requires that you rethink some of your application flow, 
>>>>but Tomcat-4.x.x is doing the right thing here.
>>>>
>>>>Jake
>>>>
>>>>At 02:28 AM 10/17/2002 +0000, you wrote:
>>>>
>>>>>Help!
>>>>>
>>>>>I recently tried to upgrade my version of Tomcat from 3.3 to 4.1(I also

>>>>>tried 4.0). My problem is that for some reason the httpsession is lost

>>>>>after redirection from https to http. I run apache in front of tomcat

>>>>>to handle static content plus certificate. My webapp depend on the 
>>>>>ability to login a user of secure connection then redirect to an 
>>>>>unsecure connection. I do the usual
>>>>>res.sendRedirect(res.encodeRedirectURL.....)). But after redirecting to

>>>>>http protocol (to the same webapp context) the http session is null.
>>>>>My webapp workes fine in Tomcat 3.3. Nothing has changed except tomcat

>>>>>version and of course the tomcat conf. files. I've tried both the 
>>>>>Coyote connector and the ajp13 one. mod_jk and mod_jk2(which I couldn't

>>>>>get working) on the apache side. I've tried Apache 1.3 and Apache 2. 
>>>>>And I am going insane.
>>>>>My server.xml file is close to the default one, I've only added my 
>>>>>context(defining docbase and such). For 3.3 this worked like a charm.
>>>>>Anyone??
>>>>>
>>>>>-Henrik
>>>>>
>>>>>
>>>>>_________________________________________________________________
>>>>>Protect your PC - get McAfee.com VirusScan Online 
>>>>>http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>>>>>
>>>>>
>>>>>--
>>>>>To unsubscribe, e-mail:   
>>>>><mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>>>>>For additional commands, e-mail: 
>>>>><mailto:tomcat-user-help@jakarta.apache.org>
>>>>
>>>
>>>
>>>_________________________________________________________________
>>>Unlimited Internet access for only $21.95/month.  Try MSN! 
>>>http://resourcecenter.msn.com/access/plans/2monthsfree.asp
>>>
>>>
>>>--
>>>To unsubscribe, e-mail:   
>>><mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>>>For additional commands, e-mail: 
>>><mailto:tomcat-user-help@jakarta.apache.org>
>>
>>
>>
>>_________________________________________________________________
>>Get a speedy connection with MSN Broadband.  Join now! 
>>http://resourcecenter.msn.com/access/plans/freeactivation.asp
>>
>>
>>--
>>To unsubscribe, e-mail:   
>><mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>>For additional commands, e-mail: 
>><mailto:tomcat-user-help@jakarta.apache.org>
>>
>
>--
>Your favorite stores, helpful shopping tools and great gift ideas. 
>Experience the convenience of buying online with Shop@Netscape! 
>http://shopnow.netscape.com/
>
>
>
>--
>To unsubscribe, e-mail:   
><mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>For additional commands, e-mail: 
><mailto:tomcat-user-help@jakarta.apache.org>


_________________________________________________________________
Get a speedy connection with MSN Broadband.  Join now! 
http://resourcecenter.msn.com/access/plans/freeactivation.asp


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message