| Author |
Tomcat session sharing - url rewrite and switching from http to https
|
Winnie Tam
Greenhorn
Joined: Dec 17, 2010
Posts: 1
|
|
Hi,
My web application has page in HTTP and HTTPS. When switching from HTTP to HTTPS by redirecting the URL, the cookie created in HTTP is carried over to HTTPS and hence the session is shared.
However, if I turn off cookie and use URL rewrite, even I append the jsession id in the HTTPS URL, the session is *not* shared.
Read some post online and indicates Tomcat doesn't allow session sharing from HTTP to HTTPS when using URL rewrite, is this true??
(* I note it might be insecure to do so, but this is the requirement.)
Thanks,
Winnie
|
 |
Tim Holloway
Saloon Keeper
Joined: Jun 25, 2001
Posts: 14487
|
|
I've got some code in an app that I inherited that claims that. However, I'm not sure that those rules apply any more. That whole subsystem ended up being scrapped. In any event, this is more likely to be a problem when you invent your own security system instead of using the J2EE built-in container-managed security subsystem.
Don't imagine, however, that the session ID in the URL has to remain constant. The session ID is the key that's used to locate the actual HttpSession object for the user and as long as the server keeps tracking it, there's no technical reason why it couldn't change session IDs on each and every request/response cycle.
If you go manually mucking around with URLs and jamming in your own session ID, however, you can get into real trouble. Use the URL rewrite methods instead. They'll know what the current session ID is, and not accidentally jam in something that no longer applies.
|
Customer surveys are for companies who didn't pay proper attention to begin with.
|
|
 |
|
|
subject: Tomcat session sharing - url rewrite and switching from http to https
|
|
|
0
