tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Session lost when switching from https to http after upgrade to Tomcat 6
Date Fri, 06 Jun 2008 22:34:00 GMT

Mark Thomas wrote:
> André Warnier wrote:
>> A lot of speculation here, but who knows ?
> Indeed. And it is all wrong.
Is that proven, or mere speculation on your part ?

>> To my knowledge, there exists no case where the browser would not send 
>> a cookie with every request, if it has it and it is valid.
> Well, there is the obvious example Rainer has already given of cookies 
> marked as secure. 
Which I mentioned, as one of the cases where a browser would not send 
the cookie.  But I don't think that a cookie sent by the browser over a 
secure connection is necessarily marked as "secure".  That is a 
attribute of the cookie, decided by the cookie creator.

Given that the session is created under https this is
> probably what is happening. Sessions are not maintained in transitions 
> from https to http.
I think that you may err here.  Are you not confusing sessions and cookies ?
Is is really the session that is gone at the server side ?
Or is it that the session is still there, but the absence (in the 
browser request) of the cookie containing the session-id does not allow 
the server to reconnect the  request with the still-existing session ?
I thought that this last was the problem originally mentioned.

It must be easy to distinguish between these two cases at the server 
side : either there is no cookie, or there is a cookie but the cookie-id 
it contains does not allow to reconnect validly to an existing session.
Which is it ?

There is something else that tickles my memory : in a previous message, 
krusek said : "For clarity,  Apache 2 is handling SSL not tomcat.  "
If so, does Tomcat even know that there is an SSL/HTTPS part ?
I mean, the connection between Apache and Tomcat via mod_jk, if they are 
all on the same host, has no particular reason to be SSL, or is it ? 
(that is ignorance on my part, I really don't know)

> If you need to protect the session creation with https then you should 
> almost certainly be providing the same level of protection for the 
> session ID.
Well, not necessarily.  I know you refer to a previous thread somewhere, 
but I beg to differ.  You may be wanting to protect via HTTPS the 
exchange of a user-id and password over the Internet.  But once that is 
done, the session data on the server probably contains other elements, 
sufficient to ensure that it is not someone else sending this same 
The application may be trivial, but not the user's password.

> Mark
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message