Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 40662 invoked from network); 4 Feb 2003 17:47:30 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 4 Feb 2003 17:47:30 -0000 Received: (qmail 7205 invoked by uid 97); 4 Feb 2003 17:49:00 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@nagoya.betaversion.org Received: (qmail 7198 invoked from network); 4 Feb 2003 17:49:00 -0000 Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12) by nagoya.betaversion.org with SMTP; 4 Feb 2003 17:49:00 -0000 Received: (qmail 38901 invoked by uid 500); 4 Feb 2003 17:47:06 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 38873 invoked from network); 4 Feb 2003 17:47:06 -0000 Received: from unknown (HELO exchange.cirqit.com) (63.144.173.173) by daedalus.apache.org with SMTP; 4 Feb 2003 17:47:06 -0000 Received: by exchange.cirqit.com with Internet Mail Service (5.5.2650.21) id ; Tue, 4 Feb 2003 12:46:45 -0500 Message-ID: From: "Zabel, Ian" To: 'Tomcat Users List' Subject: RE: Session lost between HTTPS and HTTP Date: Tue, 4 Feb 2003 12:46:44 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C2CC75.61F63CC4" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N ------_=_NextPart_001_01C2CC75.61F63CC4 Content-Type: text/plain As far as I know, http://www.app.com/ and https://www.app.com/ are supposed to be allowed to share cookies on standard ports. http://w6.metronet.com/~wjm/tomcat/2000/Dec/msg00626.html Ian. -----Original Message----- From: Filip Hanik [mailto:Filip.Hanik@evant.com] Sent: Tuesday, February 04, 2003 12:40 PM To: Tomcat Users List Subject: RE: Session lost between HTTPS and HTTP yeah, it is a security issue I believe. Not sure how tomcat does that, but it shouldn't allow a session that was created on HTTPS to switch to HTTP. Filip -----Original Message----- From: Zabel, Ian [mailto:IZabel@cirqit.com] Sent: Tuesday, February 04, 2003 9:35 AM To: tomcat-user@jakarta.apache.org Subject: Session lost between HTTPS and HTTP All; We are having a chronic problem that is causing a lot of trouble with our application's users. In our app, we authenticate users on our HTTPS server and then serve the homepage also on HTTPS. All links on the homepage to the other pages in our app switch the user to the same url on HTTP. If a user's session is created on HTTPS (https://www.app.com ), when they are switched over to HTTP (http://www.app.com ) the session cookie is not sent by the browser and they therefore lose their session. NOTE: This is not a problem if the user's session is created on HTTP. The session is created on HTTP, they authenticate over HTTPS and then are switched back to HTTP, and their session is maintained with no problems. Our workaround has been to pass the jsessionid on the url wherever we can, but there are places we can't do this. We did not start having this problem until we switched from Apache/ServletExec to Apache/Tomcat4.0.x/mod_jk. We are using Apache with OpenSSL to serve our HTTPS pages. Is it valid for a cookie created on HTTPS to be sent to the same exact URL on HTTP? Ian. --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org ------_=_NextPart_001_01C2CC75.61F63CC4--