tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabian Pena <fp...@adinet.com.uy>
Subject Re: Moving from http to https doesnt expire session
Date Wed, 04 May 2005 19:43:21 GMT
Thank Bob.
Yes, I think an invalidate and then a request.getSession(true) doesn't work.
Do you know if there are some other options, or a tomcat setting to do this?

The only solution that i found at this moment, was set a diferent domain 
name for http and https.

As you see, me english is not good.

greetings
Fabian

Bob Feretich wrote:
> If you start a session under http, Tomcat will maintain the session into 
> https. This is the desired behavior for most users. Most e-commerce 
> sites use "shopping cart" models and don't switch to https until you 
> want to check out. If the session was changed on the transition, you 
> would lose the shopping cart contents just as it was time to pay. Also, 
> maintaining the session from http to https does not create a security 
> hazard.
> 
> Tomcat does not permit a session to be maintained across a https to http 
> transition for security reasons.
> 
> To force a session to expire when moving from http to https...
> For https pages, at the top of your servlet/jsp, where request is the 
> HttpServletRequest object. Insert...
>    if (!request.isSecure() ) // not needed if page is a secure resource
>        {code to redirect back to the same page under https}
>    // get the browser's cookies
>    Cookie[] cookies = request.getCookies();
>    if (cookies==null)
>        {code to tell user to enable cookies}
>    // check session
>    HttpSession session = request.getSession(false);
>    if (session!=null) {
>       // Find the JSESSIONID cookie
>       for (int i=0; i<cookies.length; i++) {
>          if ("JSESSIONID".equals(cookies[i].getName() ) ) {
>             if (!cookies[i].getsecure() ) {
>                // invalidate non-secure session
>                session().invalidate();
>                // see below Note 1.
>                break;
>             } // if cookie[]
>          } // if found cookie
>       } // for i
>    } // if session
>    session = request.getSession(true);
> 
> Note 1. At this spot in my servlet, I have code to redirect back to the 
> sevlet under https. It shouldn't be required, but I may have suspected 
> that session.invalidate() immediately followed by a 
> request.getSession(true) didn't work.
> 
> Hope this helps.
> Bob Feretich
> 
>> Subject: Moving from http to https doesnt expire session
>> From:Fabian Pena <fpena@adinet.com.uy>
>> Date:Mon, 02 May 2005 09:54:29 -0300
>> To:tomcat-user@jakarta.apache.org
>>
>> hi all
>>
>> I have a simple question, at least I think that.
>> I am developing an applicatin that contains confidential information,
>> and I'm having a simple problem.
>> when a user move from http to https de session doesnt expire, the
>> jsessionid is the same.
>> I want generate a new session and of course change de jsessionid in the
>> first https request.
>>
>> Any one can help me.
>>
>> Thanks in advance
>>
>> Fabian 
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message