tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Moving from a very old Tomcat to a new Tomcat.
Date Mon, 09 Jun 2008 16:15:00 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill,

Bill Davidson wrote:
| One other thing I just noticed.  The login servlet runs
| under https.  After successful login, including creating a valid
| session, it calls
|
HttpServletResponse.sendRedirect("http://myHost.myDomain.com/context/servlets/main");

|
| which is the one that ends up with no cookie.

Unfortunately, this is expected behavior. If the JSESSIONID cookie is
created for the first time during an HTTPS transaction, then the cookie
will me marked as "secure", and the browser will not send it when
switching back to non-SSL HTTP.

You have two options, here:

1. Make sure that the user has a session /before/ going into SSL mode

or

2. Make everything after login use SSL

Neither choice is particularly appetizing. :(

You might be able to write a filter to adjust the "secure" bit on the
cookie as it goes out the door, but I can't guarantee that would work.
I'm unsure of the security implications, there, either, but I suspect
they are not too bad.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhNVwQACgkQ9CaO5/Lv0PAUGQCfehJgt99wZS9ItEvCCf5Gv3U/
pSoAn07PTth6+tRUOObbSWjLUBke8dK0
=Z7p5
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message