Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@www.apache.org Received: (qmail 47529 invoked from network); 1 May 2005 08:34:42 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 1 May 2005 08:34:42 -0000 Received: (qmail 37288 invoked by uid 500); 1 May 2005 08:35:44 -0000 Delivered-To: apmail-jakarta-tomcat-user-archive@jakarta.apache.org Received: (qmail 37261 invoked by uid 500); 1 May 2005 08:35:44 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 37246 invoked by uid 99); 1 May 2005 08:35:43 -0000 X-ASF-Spam-Status: No, hits=0.1 required=10.0 tests=FORGED_RCVD_HELO X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from ylpvm15-ext.prodigy.net (HELO ylpvm15.prodigy.net) (207.115.57.46) by apache.org (qpsmtpd/0.28) with ESMTP; Sun, 01 May 2005 01:35:43 -0700 Received: from pimout3-ext.prodigy.net (pimout3-ext.prodigy.net [207.115.63.102]) by ylpvm15.prodigy.net (8.12.10 outbound/8.12.10) with ESMTP id j418UQQe010362 for ; Sun, 1 May 2005 04:30:26 -0400 X-ORBL: [67.115.105.1] Received: from prodigy.net (adsl-67-115-105-1.dsl.sntc01.pacbell.net [67.115.105.1]) by pimout3-ext.prodigy.net (8.12.10 milter /8.12.10) with ESMTP id j418YD5Z214036; Sun, 1 May 2005 04:34:16 -0400 Message-ID: <427497F4.2020609@prodigy.net> Date: Sun, 01 May 2005 01:48:52 -0700 From: Bob Feretich User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: anthonys123@comcast.net, tomcat-user@jakarta.apache.org Subject: Re: Session lost when switching from https to http in Tomcat 5. Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Tomcat (starting with Tomcat 4) stores the JSESSIONID cookie as a "secure" cookie that is tagged for port 443 (or 8443) when the session begins under HTTPS. Browsers are not allowed to send secure cookies under plain HTTP, so your session is lost. For Tomcat 4 or 5 you must start your session under HTTP, then switch to HTTPS to maintain a session across both. Tomcat 3 had a config.xml option to always store JSESSIONID as non-secure. It's a long story. See the mailing list archive for the rants. In the its current state, Tomcat's implementation does not agree with published "Best Practices" and the *proposed* "State Management" standard, but the decision was made to err on the side of security. I have modified Tomcat 4 to permit sessions that span HTTP and HTTPS. The changes are not difficult, but you must implement your own mechanism to prevent session hijacking. Non-secure JSESSIONID cookies create a security hole. The committees are supposed address the security vs. state management issue in the next Servlet Spec. Regards, Bob Feretich > I have a servlet/JSP application in which users establish their > servlet session using https but conduct the rest of their > interactions using http. The session appears not to be preserved > between https and http, ie. after switching from back to http the > request.getSession(false) call returns null. Can anyone shed light on > this for me? Is this expected? Is there a > workaround/configuration/setting in Tomcat 5 I might have missed? > > Thanks > > Anthony > --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org