开发者

JSP - Not able to maintain session between http page and https page

I can't seem to find the one right answer to my problem. I'm being overwhelmed with information I'm finding on the internet, and I have no idea what I should do.

My setup is as follows : Apache server (front end), Tomcat 6.0 (back end), RapidSSL certificate is on the Apache server, my site is made up of Java Server Pages.

The problem :

I have a few pages that are unde开发者_JS百科r https, while the rest of the site pages are under http. The login page I have, is under https, and I've noticed that when I login, and redirect to an http page, that the session is not being maintained. Its creating a new one, which results in the user being sent to my 'session expired' page, when really, upon a successful login, they would be redirected to a different page.

Questions:

Why is the session not maintained when switched from https to http?

How do I fix this problem? I need the session attributes that are created on the http pages, to be present on the https pages, so when the user is then directed to an http page again, the session hasn't been recreated, and the attributes lost.

Please ask me any questions you feel are necessary in order to help me figure this out. I greatly appreciate any help I receive. This issue has become a stumbling block for me, especially since I obviously lack the 'expertise' to figure it out myself.


Allowing the user to use the same session after logging in is a security vulnerability. Tomcat by default does not allow sessions to migrate from SSL to non SSL pages.

You should change your logic so if a user is doing a login, the session is silently updated, and logged in instead of going to the session expired page.


It's likely that you're using "secure cookies" to maintain the session: these cookies don't propagate from HTTPS to HTTP. This is generally a good thing.

You can chose not to do this, but when you transfer a session from HTTPS to HTTP you have to take extra care that you don't allow it to be reused over HTTPS later, as it may have been compromised.


Are you using a simple reverse proxy to connect to Tomcat? If that's your case, use mod_proxy_ajp to use AJP to connect Apache HTTP Server to Tomcat Application Server.


I have the same issue, where some parts of the site are https, and some are http. I've found that with Tomcat, session cookies created over http carry over to https no problem, however session cookies created over https are lost when moving to http.

One solution I have found maintaining a session as the user travels the site, is to bounce the user around when they first arrive. I created a RequestFilter with the following code:

if (request.isSecure() && session.isNew()) { // session cookie created over ssl
    try { session.invalidate(); }
    catch (Exception e) { /* handle error */ }
    String url = request.getRequestURI().replaceFirst("https", "http");
    response.sendRedirect(url);
}
else if (!request.isSecure()) {
    String url = request.getRequestURI().replaceFirst("http", "https");
    response.sendRedirect(url);
}

This forces new sessions to non SSL to create a lasting session cookie, and then once a session exists, the user forwarded back to secure request. This results in the session staying alive.

Or here's an options that involves less bouncing around, just overwrite the session cookie with one that isn't secure:

if (request.isSecure() && session.isNew()) {
    Cookie c = new Cookie("JSESSIONID", request.getSession().getId());
    c.setSecure(false);
    response.addCookie(c);
}
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜