Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: domain of rainer.jung@kippdata.de
 designates 195.227.30.149 as permitted sender)
Message-ID: <4AE76DAA.4080709@kippdata.de>
Date: Tue, 27 Oct 2009 23:01:14 +0100
From: Rainer Jung <rainer.jung@kippdata.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de;
 rv:1.9.1.4pre) Gecko/20090915 Thunderbird/3.0b4
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: SessionID cookie not secure over SSL
References: <9533B907B006F745AAE94FAFD1C84C1CD306C3@EXCHANGE.helixmail.local>
 <4AE761D9.3010605@ice-sa.com>
In-Reply-To: <4AE761D9.3010605@ice-sa.com>
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 8bit

On 27.10.2009 22:10, Andr� Warnier wrote:
> Joe Wallace wrote:
>>
>> -----Original Message-----
>> From: Andr� Warnier [mailto:aw@ice-sa.com]
>> Sent: Tuesday, October 27, 2009 4:48 PM
>> To: Tomcat Users List
>> Subject: Re: SessionID cookie not secure over SSL
>>
>>
>>> Joe Wallace wrote:
>>>> I am using session cookies to track sessions.  I am used to Jrun
>>>> where you would specifically set the cookie to be sent only over SSL
>>>> or https.  This was not the >default setting.  I want users to
>>>> connect to my web site using https then they might click a link on
>>>> one of my web pages whose protocal is not secure.  What is the
>>>> >behavior of the JSESSIONID cookie in this situation.
>>>>
>>> Joe,
>>
>>> 1) assuming your setup is
>>
>>> browsers <--> IIS  <--> Tomcat
>>             A         B
>>
>>> which portion(s) is(/are) using HTTPS ? A ? B ? both ?
>>
>>> 2) "secure" is an attribute of a cookie, written inside of the cookie
>>> by the server creating the cookie in the first place.
>>> If set, it has as consequence that a browser will only send it back
>>> to the original server with subsequent requests, if these subsequent
>>> requests happen over a HTTPS connection.
>>
>>> In other words, if you set the secure attribute on the JSESSIONID
>>> cookie, because for instance your initial request happens over HTTPS,
>>> then you switch to a non-HTTPS part of the site, the browser is
>>> probably no longer going to send this cookie back to the server.
>>> In other words, you will, for practical purposes, "lose your session".
>>
>>> Not so, gurus ?
>>
>> Portion A is using IIS.  IIS holds the SSL cert.
>> I am using AJP 1.3 connector for IIS
>> It is defined in the Tomcat Server.xml
>>
>> <!-- Define an AJP 1.3 Connector on port xxxx -->
>>     <Connector port="8109" protocol="AJP/1.3" redirectPort="443"
>> />
>>
> 
> Am I mistaken then to think that since the connection B from IIS to
> Tomcat is not over HTTPS but over AJP, Tomcat has no idea that HTTPS is
> being used ?

It should know that. The AJP13 protocol transports the comunication
situation observed by the web server to Tomcat which then provides it to
the webapp by extracting it from the protocol in the AJP connector.

See also

http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org