• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Tomcat session sharing - url rewrite and switching from http to https

 
Winnie Tam
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

My web application has page in HTTP and HTTPS. When switching from HTTP to HTTPS by redirecting the URL, the cookie created in HTTP is carried over to HTTPS and hence the session is shared.

However, if I turn off cookie and use URL rewrite, even I append the jsession id in the HTTPS URL, the session is *not* shared.

Read some post online and indicates Tomcat doesn't allow session sharing from HTTP to HTTPS when using URL rewrite, is this true??

(* I note it might be insecure to do so, but this is the requirement.)

Thanks,
Winnie
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18098
50
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I've got some code in an app that I inherited that claims that. However, I'm not sure that those rules apply any more. That whole subsystem ended up being scrapped. In any event, this is more likely to be a problem when you invent your own security system instead of using the J2EE built-in container-managed security subsystem.

Don't imagine, however, that the session ID in the URL has to remain constant. The session ID is the key that's used to locate the actual HttpSession object for the user and as long as the server keeps tracking it, there's no technical reason why it couldn't change session IDs on each and every request/response cycle.

If you go manually mucking around with URLs and jamming in your own session ID, however, you can get into real trouble. Use the URL rewrite methods instead. They'll know what the current session ID is, and not accidentally jam in something that no longer applies.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic