How do I turn off secure cookies for session IDs?

Java Mailing List Archive

http://www.junlu.com/

Google

Mailing List

Home

Forum Home

JBoss - Java Application Server

Struts - A MVC web framework

Tomcat - JSP/Servlet container

iText - An open source PDF Java Library

JDOM - JDOM XML Parser

J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition

J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog

Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology

JSP - A mailing list about Java Server Pages specification and reference

Struts & Hibernate

Subjects

•	JSP editor plugin for eclipse ?
•	org apache jasper JasperException: Unable to compile class for JSP
•	Tomcat: Connection reset by peer: socket write error
•	Cannot retrieve definition for form bean null
•	Struts Tiles Tutorial (free Struts training)
•	Where do I download Tomcat 4 0 6?
•	Data Access Object (DAO) pattern, example DAO 's
•	Where to download Tomcat v 4 1 24 from?
•	Tomcat 5 0 16 Requested resource not available
•	Oracle Connection Pooling in 3 2 2
•	Servlet : Session invalidate
•	Servlet action is currently unavailable
•	Tomcat/Struts Unicode Encoding/Decoding problems
•	Tomcat and webapplication specific java library path
•	Running a Simple JMS Example
•	Mapping in workers2 properties
•	org apache jasper JasperException
•	Cannot find message resources under key org apache struts action MESSAGE
•	problem with html:text bean throwing exception
•	Cannot find message resources under key org apache struts action MESSAGE
•	invalid direct reference problem with solution
•	Tool for jsp debug Try Sysdeo Eclipse Plugin
•	Tomcat 5 Cannot load JDBC driver class 'null ' SQL state: null
•	weblogic ejbc
•	java properties file
•	Jboss 3 2 3 Coyote Can 't re
•	Tomcat 5, Apache2 and mod jk2 integration problem
•	JBoss example problem new to J2EE
•	url string for connecting jboss to oracle
•	Value attribute of <html:checkbox
•	javax servlet ServletException: BeanUtils populate
•	HTTP Status 404 The requested resource is not available
•	5 0 18: Windows XP Pro vs Windows 2000

How do I turn off secure cookies for session IDs?

How do I turn off secure cookies for session IDs?

2004-01-23 - By Justin Ruthenbeck

Back

Reply: 1 2 3 4

At 12:59 PM 1/23/2004, you wrote:
>The Problem
>===========
>
> The login page creates a session and sets a cookie as follows:
>
>Set-Cookie: JSESSIONID=A26A878059077E1ABEE058A62541957C; Path=/; Secure
>
> The "Secure" on the end tells the web browser NOT to send the cookie
> back to
>the server unless it is an SSL connection. When the user is redirected
>to the
>next non-SSL page, no cookie is sent back to the server, a new session is
>created, and a new cookie is set as follows:
>
>Set-Cookie: JSESSIONID=082E4CACA42D045D7E1F1F55CB073C48; Path=/
>
> My application, assuming the user is not logged in, redirects the
> user back to
>the main page. There is an existing session, so it is used for the login
>variable. Since the cookie is no longer labeled "Secure" it is valid for
>all
>pages.
>
>Possible Solutions
>==================
>
> This is where I need some help. If it is simply a configuration
> setting, I
>have missed it. Otherwise I need to make sure a non-secure cookie exists
>before
>displaying the login page. This could mean redirecting to a non-SSL page
>first
>if the session is new or somehow grabbing the Cookie object before it is
>sent to
>the browser and calling setSecure(false), neither of which seem like an
>elegant
>solution.

The general problem that you're hitting here is that you shouldn't/can't
start a session over a secure connection, then use the same session for
non-secure communication (this is logical and necessary). In this case,
you don't want a secure session -- you want only the l/p to be transfered
more securely.

The general solution, as you suggested, is to start the session over an
insecure connection to establish it as insecure. After the session has
been started, authenticate (more) securely and then continue to use the
same session when you switch back to insecure comm.

Note, of course, that starting a session with an insecure connection
makes it vulnerable when you switch over to secure. Presumably, however,
you're not *that* worried about the implications of this and are more
interested in hiding the l/p from curious eyes.

justin

__ ____ ____ ____ ____ ____ ____ ____ ____ ___
Justin Ruthenbeck
Software Engineer, NextEngine Inc.
justinr - AT - nextengine DOT com
Confidential. See:
http://www.nextengine.com/confidentiality.php
__ ____ ____ ____ ____ ____ ____ ____ ____ ___

-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)

©2008 junlu.com - Jax Systems, LLC, U.S.A.