tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Feretich <>
Subject Re: Session lost when switching from https to http in Tomcat 5.
Date Sun, 01 May 2005 08:48:52 GMT
Tomcat (starting with Tomcat 4) stores the JSESSIONID cookie as a 
"secure" cookie that is tagged for port 443 (or 8443) when the session 
begins under HTTPS. Browsers are not allowed to send secure cookies 
under plain HTTP, so your session is lost. For Tomcat 4 or 5 you must 
start your session under HTTP, then switch to HTTPS to maintain a 
session across both. Tomcat 3 had a config.xml option to always store 
JSESSIONID as non-secure.  It's a long story. See the mailing list 
archive for the rants. In the its current state, Tomcat's implementation 
does not agree with published "Best Practices" and the *proposed* "State 
Management" standard, but the decision was made to err on the side of 

I have modified Tomcat 4 to permit sessions that span HTTP and HTTPS. 
The changes are not difficult, but you must implement your own mechanism 
to prevent session hijacking. Non-secure JSESSIONID cookies create a 
security hole.

The committees are supposed address the security vs. state management 
issue in the next Servlet Spec.

Bob Feretich

> I have a servlet/JSP application in which users establish their
> servlet session using https but conduct the rest of their
> interactions using http. The session appears not to be preserved
> between https and http, ie. after switching from back to http the
> request.getSession(false) call returns null. Can anyone shed light on
> this for me? Is this expected? Is there a
> workaround/configuration/setting in Tomcat 5 I might have missed?
> Thanks
> Anthony

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message