tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Session behaviour across http/https boundary
Date Fri, 09 Apr 2004 05:22:06 GMT

"Martin Alley" <martin.alley@ntlworld.com> wrote in message
news:001d01c41d62$3a04a540$3100a8c0@martinjfalley.com...
> Hi,
>
> I have a small web app that appears to illustrate the following
> behaviour.
> Session started in http is carried over to https, but session started in
> https is *not* carried over to http!
>
> Why?

This is for security reasons (so that it isn't possible to steal sensitive
information that was entered in via SSL).
>
>
> Web app has 3 pages
> Index.jsp
> Page2.jsp
> Logout.jsp (does session invalidate & forward to index.jsp)
>
> 1) go to index.jsp as http (session1)
> 2) follow https link to page2.jsp (session1)
> 3) follow https link to logout.jsp
> 4) now at https index.jsp with session2 (session2 created in https
> world)
> 5) follow https link to page2.jsp again (session2)
> 6) follow *http* link to index.jsp (session 3!!!)
>
> I don't understand why session 3 is created.
>
> I read that old browsers don't maintain sessions between http and https;
> I'm using Ie6
>
> Can anyone explain this?
>
> Thanks
> Martin
> PS Code is below.
>
>
>
>
>
> ******************Index.jsp
> <%@ page import="javax.servlet.*, javax.servlet.http.*,
> org.apache.commons.logging.*"%>
>
> <html>
> <body>
> <%
>         HttpServletRequest req = ( HttpServletRequest ) request;
>         HttpSession mysession = req.getSession(false  );
>
>         Log __log = LogFactory.getLog( this.getClass() );
>         __log.info("index.jsp");
>
> __log.info("SessionID="+(mysession==null?"null":mysession.getId()));
> %>
> <p>
> SessionID=<%=(mysession==null?"null":mysession.getId())%><br/>
>
> </p>
>
> <p>
> <a
> href="<%=response.encodeURL("https://localhost:8443/sessiontest/page2.js
> p")%>">page2</a>
> <a
> href="<%=response.encodeURL("https://localhost:8443/sessiontest/logout.j
> sp")%>">logout</a><br/>
> </p>
> </body>
> </html>
> ********************page2.jsp
> <%@ page import=" javax.servlet.*, javax.servlet.http.*,
> org.apache.commons.logging.*"%>
> <html>
> <body>
> <%
>         HttpServletRequest req = ( HttpServletRequest ) request;
>         HttpSession mysession = req.getSession(false  );
>
>         Log __log = LogFactory.getLog( this.getClass() );
>         __log.info("page2");
>
> __log.info("SessionID="+(mysession==null?"null":mysession.getId()));
>
> %>
> <p>
> SessionID=<%=(mysession==null?"null":mysession.getId())%><br/>
>
> </p>
>
> <p>
> <a
> href="<%=response.encodeURL("http://localhost:8080/sessiontest/index.jsp
> ")%>">index page</a><br/>
> <a
> href="<%=response.encodeURL("https://localhost:8443/sessiontest/logout.j
> sp")%>">logout</a><br/>
> </p>
>
> </body>
> </html>
>
>
> *************logout.jsp
> <%@ page import=" javax.servlet.*, javax.servlet.http.*,
> org.apache.commons.logging.*"%>
> <%
> HttpServletRequest req = ( HttpServletRequest ) request;
> HttpSession mysession = req.getSession(false  );
>         Log __log = LogFactory.getLog( this.getClass() );
>         __log.info("logout.jsp");
>         __log.info("pre invalidate
> SessionID="+(mysession==null?"null":mysession.getId()));
> if (session!=null)
> session.invalidate();
>
>
>         __log.info("post
> invalidateSessionID="+(mysession==null?"null":mysession.getId()));
>
>
> RequestDispatcher rd =req.getRequestDispatcher("/index.jsp");
> rd.forward(req, (HttpServletResponse)response);
>
> %>




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message