GeeCON Prague 2014*
The moose likes Tomcat and the fly likes Tomcat session sharing - url rewrite and switching from http to https Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat session sharing - url rewrite and switching from http to https" Watch "Tomcat session sharing - url rewrite and switching from http to https" New topic
Author

Tomcat session sharing - url rewrite and switching from http to https

Winnie Tam
Greenhorn

Joined: Dec 17, 2010
Posts: 1
Hi,

My web application has page in HTTP and HTTPS. When switching from HTTP to HTTPS by redirecting the URL, the cookie created in HTTP is carried over to HTTPS and hence the session is shared.

However, if I turn off cookie and use URL rewrite, even I append the jsession id in the HTTPS URL, the session is *not* shared.

Read some post online and indicates Tomcat doesn't allow session sharing from HTTP to HTTPS when using URL rewrite, is this true??

(* I note it might be insecure to do so, but this is the requirement.)

Thanks,
Winnie
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16101
    
  21

I've got some code in an app that I inherited that claims that. However, I'm not sure that those rules apply any more. That whole subsystem ended up being scrapped. In any event, this is more likely to be a problem when you invent your own security system instead of using the J2EE built-in container-managed security subsystem.

Don't imagine, however, that the session ID in the URL has to remain constant. The session ID is the key that's used to locate the actual HttpSession object for the user and as long as the server keeps tracking it, there's no technical reason why it couldn't change session IDs on each and every request/response cycle.

If you go manually mucking around with URLs and jamming in your own session ID, however, you can get into real trouble. Use the URL rewrite methods instead. They'll know what the current session ID is, and not accidentally jam in something that no longer applies.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Tomcat session sharing - url rewrite and switching from http to https