tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject Re: https --> http session problem
Date Mon, 17 Nov 2003 17:10:06 GMT
On 11/17/2003 05:15 PM Andrew Mottaz wrote:
>>Also, as far as I can see, the java community has decided that once you
>>start a secure session, you should stay in a secure session, for various
>>security reasons. Are you doing a secure login and then redirecting back
>>to http afterwards?
> 
> Imagine the following scenario -- A web site has different levels of user
> access.  The difference between the users is what products they can see.
> The data is not terribly sensitive.  However, the log-in should be secure
> for several reasons -- 1) For the users perception -- people do not like the
> "This form is not secure" message when logging in.  2)  Capturing a user id
> and password is worse than hijacking one session.
> 
[snipped]
> Also -- this is the standard for Tomcat -- not Java --( it may be in the
> servlet/jsp spec -- but if so, it is a new addition).  Other Java based app
> servers treat this differently.
> 
[snipped]
> Again -- Just my 2 cents -- Is there a security issue I'm missing?  If the
> argument is that you should NEVER go from secure to non-secure, the Tomcat
> solution does not assure that. It only means that you have to go non-secure,
> secure, and then non-secure.  That seems quite arbitrary to me.

I'm not sure I would put the argument in those terms - obviously you can 
go from secure to non-secure via redirects, but tomcat is not going to 
be nice about it, i.e. wave your cookies goodbye.

There is new stuff in the spec related to secure sessions, but I'm not 
sure if it involves cookies. The issue is about encrypting the 
form-based CMS login form and in bugzilla it didn't get much sympathy:

http://issues.apache.org/bugzilla/show_bug.cgi?id=23970

I assume the issue was discussed in depth but I couldn't find it on the 
tomcat-dev list. Perhaps it was discussed by JCP somewhere else while 
writing the spec. If anyone who is on the dev list knows, I'd love to 
read the discussion.

The spec is about to go final after which any change of the issue is 
doomed, unfortunately IMHO. I'd gladly lend my voice to any last-ditch 
attempt to get it changed.


Adam
-- 
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message