• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Tomcat session sharing - url rewrite and switching from http to https

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

My web application has page in HTTP and HTTPS. When switching from HTTP to HTTPS by redirecting the URL, the cookie created in HTTP is carried over to HTTPS and hence the session is shared.

However, if I turn off cookie and use URL rewrite, even I append the jsession id in the HTTPS URL, the session is *not* shared.

Read some post online and indicates Tomcat doesn't allow session sharing from HTTP to HTTPS when using URL rewrite, is this true??

(* I note it might be insecure to do so, but this is the requirement.)

Thanks,
Winnie
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've got some code in an app that I inherited that claims that. However, I'm not sure that those rules apply any more. That whole subsystem ended up being scrapped. In any event, this is more likely to be a problem when you invent your own security system instead of using the J2EE built-in container-managed security subsystem.

Don't imagine, however, that the session ID in the URL has to remain constant. The session ID is the key that's used to locate the actual HttpSession object for the user and as long as the server keeps tracking it, there's no technical reason why it couldn't change session IDs on each and every request/response cycle.

If you go manually mucking around with URLs and jamming in your own session ID, however, you can get into real trouble. Use the URL rewrite methods instead. They'll know what the current session ID is, and not accidentally jam in something that no longer applies.
 
She still doesn't approve of my superhero lifestyle. Or this shameless plug:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic