tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anhony" <>
Subject Re: Session lost when switching from https to http in Tomcat 5.
Date Sun, 01 May 2005 12:40:14 GMT

Your help is greatly appreciated, I have hade a devil of a time with this. I 
am glad to know this was not caused by an error in my code.

Again, thanks very much for your help.

Best Regards,

----- Original Message ----- 
From: "Bob Feretich" <>
To: <>; <>
Sent: Sunday, May 01, 2005 4:48 AM
Subject: Re: Session lost when switching from https to http in Tomcat 5.

> Tomcat (starting with Tomcat 4) stores the JSESSIONID cookie as a "secure" 
> cookie that is tagged for port 443 (or 8443) when the session begins under 
> HTTPS. Browsers are not allowed to send secure cookies under plain HTTP, 
> so your session is lost. For Tomcat 4 or 5 you must start your session 
> under HTTP, then switch to HTTPS to maintain a session across both. Tomcat 
> 3 had a config.xml option to always store JSESSIONID as non-secure.  It's 
> a long story. See the mailing list archive for the rants. In the its 
> current state, Tomcat's implementation does not agree with published "Best 
> Practices" and the *proposed* "State Management" standard, but the 
> decision was made to err on the side of security.
> I have modified Tomcat 4 to permit sessions that span HTTP and HTTPS. The 
> changes are not difficult, but you must implement your own mechanism to 
> prevent session hijacking. Non-secure JSESSIONID cookies create a security 
> hole.
> The committees are supposed address the security vs. state management 
> issue in the next Servlet Spec.
> Regards,
> Bob Feretich
>> I have a servlet/JSP application in which users establish their
>> servlet session using https but conduct the rest of their
>> interactions using http. The session appears not to be preserved
>> between https and http, ie. after switching from back to http the
>> request.getSession(false) call returns null. Can anyone shed light on
>> this for me? Is this expected? Is there a
>> workaround/configuration/setting in Tomcat 5 I might have missed?
>> Thanks
>> Anthony
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message