tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Feretich <>
Subject Re: Moving from http to https doesnt expire session
Date Wed, 04 May 2005 19:20:19 GMT
If you start a session under http, Tomcat will maintain the session into 
https. This is the desired behavior for most users. Most e-commerce 
sites use "shopping cart" models and don't switch to https until you 
want to check out. If the session was changed on the transition, you 
would lose the shopping cart contents just as it was time to pay. Also, 
maintaining the session from http to https does not create a security 

Tomcat does not permit a session to be maintained across a https to http 
transition for security reasons.

To force a session to expire when moving from http to https...
For https pages, at the top of your servlet/jsp, where request is the 
HttpServletRequest object. Insert...
    if (!request.isSecure() ) // not needed if page is a secure resource
        {code to redirect back to the same page under https}
    // get the browser's cookies
    Cookie[] cookies = request.getCookies();
    if (cookies==null)
        {code to tell user to enable cookies}
    // check session
    HttpSession session = request.getSession(false);
    if (session!=null) {
       // Find the JSESSIONID cookie
       for (int i=0; i<cookies.length; i++) {
          if ("JSESSIONID".equals(cookies[i].getName() ) ) {
             if (!cookies[i].getsecure() ) {
                // invalidate non-secure session
                // see below Note 1.
             } // if cookie[]
          } // if found cookie
       } // for i
    } // if session
    session = request.getSession(true);

Note 1. At this spot in my servlet, I have code to redirect back to the 
sevlet under https. It shouldn't be required, but I may have suspected 
that session.invalidate() immediately followed by a 
request.getSession(true) didn't work.

Hope this helps.
Bob Feretich

> Subject: Moving from http to https doesnt expire session
> From:Fabian Pena <>
> Date:Mon, 02 May 2005 09:54:29 -0300
> hi all
> I have a simple question, at least I think that.
> I am developing an applicatin that contains confidential information,
> and I'm having a simple problem.
> when a user move from http to https de session doesnt expire, the
> jsessionid is the same.
> I want generate a new session and of course change de jsessionid in the
> first https request.
> Any one can help me.
> Thanks in advance
> Fabian 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message