Tomcat, keep session when moving from HTTPS to HTTP

rlovtang picture rlovtang · Jan 8, 2011 · Viewed 11.2k times · Source

I have a Java application running on Tomcat 6.0.29, with Apache 2.2.3 in front. The login page uses HTTPS, while most pages use HTTP.

If a user tries to access a page (HTTP) that is login protected, he gets redirected to the login page (HTTPS), logs in, then gets redirected back to the originally requested page. This works great, as the JSESSIONID cookie is set as non-secure, and used for both HTTP and HTTPS.

However, if the user starts at the login page (HTTPS), the JSESSIONID cookie is set as Secure, and thus the session is not available after login when redirecting to pages under HTTP, forcing a new session and redirect to login page again. This time it works though, because this time the JSESSIONID cookie is set as non-secure.

How can I avoid that users have to log in twice when they hit the login page first?

Answer

Pat picture Pat · Jan 10, 2011

(Update: for clarity) Starting with the login Http get/post use https and use https through out the user's logged in session.

Use Http only when there is no logged in user.

There is a reason that cookies are not allow to cross protocol boundaries - it is an attack vector! (* see update below)

How to do this very bad idea

If you really insist, encode the jsessionId in the redirect to the http url ( or always encode the jsession id in the url). When Tomcat gets the http redirect, tomcat should find the session and continue.

Why you shouldn't do this

Seriously, any site that mixes https and http content on the same page is just opening themselves to all sorts of fun (and easy) attacks.

Going from https to keep the login "secure" is pointless if the rest of the session is in cleartext. So what that the username/password (probably just the password) is protected?

Using the ever-popular man-in-the-middle attack, the attacker just copies the session id and uses that to have fun. Since most sites don't expire sessions that stay active, the MIM effectively has full access as if they had the password.

If you think https is expensive in terms of performance look here, or just search. Easiest way to improve https performance to acceptable is to make sure the server is setting keep-alive on the connection.