tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Williamson" <>
Subject problem with form authentication and SSL
Date Tue, 01 May 2007 17:12:16 GMT
 Hi, I'm relatively new to the tomcat server and I'm having a problem with
configuring tomcat for a particular behavior that I need.  I've scoured the
internet for several days and haven't been able to find anything on this

I'm trying to build a website with several SSL-protected pages and several
unprotected pages.  To do this, I'm using the built-in users/roles support
in tomcat.  My problem is that tomcat uses the same cookie for
authentication as it does for session tracking.

For example, when a user loads an unprotected page, tomcat sets a JSESSIONID
cookie with a "send over any type of connection" flag.  If the user later
moves to a protected page, it uses the same JSESSIONID cookie, even after
they've logged in.  A malicious third party could theoretically monitor the
connection while it's unprotected and then later initiate an SSL connection
with the same JSESSIONID posing as the legitimate user.  If the legitimate
user first logs in to a protected page, tomcat will automatically set the
JSESSIONID cookie to only send over protected connections.  Unfortunately,
if the user then moves to an unprotected page, tomcat blows away the
original cookie and creates a new one to send over any type of connection.

Is there any way to make tomcat use a different cookie for form
authentication than it does for session tracking?  That is, can I make it
use something other than JSESSIONID to authenticate a user?

Sorry for the verbose post, but I wanted to make my problem clear.  Any help
in this matter would be greatly appreciated.  Thank you for taking the time
to read this.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message