how to force new session cookie / sessionId when switching from http to https (in Tomcat)

my question upfront is:

When changing from http to 开发者_如何学Pythonhttps: How do I enforce on Tomcat that the value of the JSESSIONID / (i.e. the session cookie) gets changed?

Here's my situation:

I assume we are having a potential security issue in our application and wonder how to fix it.

We run a JSF1.2 / Seam2 application inside of a Tomcat 6.x and force the usage of session cookies (no sessionid in URLs).

We allow http access, but when a user logs in we switch to https and stay on https. We also do have a Filter that adds 'secure' to the cookie whenever the request is coming through https to ensure that the session cannot go back to http. (somehow I thought Tomcat would do that automatically)

I noticed that the JSESSIONID doesn't change when switching between http and https. This suggests to me that an attacker could potentially spy out the session cookie through http and then hijack the session.

So how can I tell Tomcat to use a different JSESSIONID when changing to https? (Or if thats the default behavior: What could lead to this not happening anymore?)

Thanks for any hints/ideas!

some time (years actually) I posted this filter here that we use to renew the session ID after the login:

https://issues.jboss.org/browse/JBSEAM-2450

We call newSession() just after a login to mark the session-ID to be renewed on the next GET request (POST requests don't work well due to the restore of the view state, but the POST/REDIRECT/GET with Seam will issue GETs quite often).

You might want put it into your filter -- or you just mark your session to be refreshed in the next GET request. Just make sure that you don't renew your session when processing a JSF POST request.

Someone else also provided a Tomcat Valve to solve this

Best regards, Alexander.