How do I turn off secure cookies for session IDs? 2004-01-23 - By Dan Forward
Back
I have a web site that uses SSL on the main page for logging in (to encrypt
the password) but uses standard HTTP on most pages thereafter. I set a value in
the session that tells me the user is logged in and that value is checked on
every page. If the value is not present, the application redirects the user to
the login page. Oddly, the user has had to log in twice in this scenario. I have
identified the problem, which I will describe below, but have not found a
solution. Hopefully there is a configuration setting somewhere that will fix it.
The Problem
==========
The login page creates a session and sets a cookie as follows:
Set-Cookie: JSESSIONID�6A878059077E1ABEE058A62541957C; Path=/; Secure
The "Secure" on the end tells the web browser NOT to send the cookie back to
the server unless it is an SSL connection. When the user is redirected to the
next non-SSL page, no cookie is sent back to the server, a new session is
created, and a new cookie is set as follows:
Set-Cookie: JSESSIONID�2E4CACA42D045D7E1F1F55CB073C48; Path=/
My application, assuming the user is not logged in, redirects the user back to
the main page. There is an existing session, so it is used for the login
variable. Since the cookie is no longer labeled "Secure" it is valid for all
pages.
Possible Solutions
=================
This is where I need some help. If it is simply a configuration setting, I
have missed it. Otherwise I need to make sure a non-secure cookie exists before
displaying the login page. This could mean redirecting to a non-SSL page first
if the session is new or somehow grabbing the Cookie object before it is sent to
the browser and calling setSecure(false), neither of which seem like an elegant
solution.
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)
|
|
