tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave <javao...@yahoo.com>
Subject Re: how to auto redirect to https from http
Date Thu, 07 Feb 2008 16:21:12 GMT
Chris,
   
  The url is not changed when I point to http://www.mydomain.com/login.html in browser. The
.html is mapped to servlet. I expected it to change to https://....
   
  So it is not secure to start as http and then switch to https to use the same http session
because session id to visible to man-in-the-middle. Am I right? If not secure, why is it allowed
to be working this way?
   
  Even start with https, if url-rewriting is used for session tracking(sessionid in url),
it is not secure anymore, right?
   
  Thanks,
Dave

Christopher Schultz <chris@christopherschultz.net> wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave,

Dave wrote:
| I moved the inside the
as the following:
|
| 
| 
| Automatic SLL
Forwarding
| /login.html
| 
|
CONFIDENTIAL
| 
| 
| 
|
| But http://www.mydomain.com/login.html did not redirect to secure URL.

:(

It's possible that Tomcat ignores that setting during its own
authentication process (which would suck if it were the case). What the
the URL say when you are being asked to login?

| As you mentioned, If I start as http, then redirect to https when
| login, and keep https after login. Does that mean https is using the
| http session?

Well, it's not a "http session" per-se... it's the session that was
created while you were in http mode. The answer is yes: Tomcat will
continue to use that session. If, however, you kill any sessions
(yourself) as you switch to https, then any fallback to http will lose
the session (because the browser will refuse to send a "secure" cookie
through a non-secure channel.

| Is there any security hole? If a man-in-the-middle knows the session
| id from http and the same session id is used by https?

This does not require man-in-the-middle. It's just plain-old session
hijacking. This can happen whether you are using SSL or not -- if
someone can guess your session id, you're pwned.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkerLLYACgkQ9CaO5/Lv0PBSbQCgs51ON7Uwam/6mMs+5w4e0dv4
AwgAoK//OfuOISynFSbnV+jU6kqI2N6N
=14Kp
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




       
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.
Mime
  • Unnamed multipart/alternative (inline, 8-Bit, 0 bytes)
View raw message