Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Keeping session alive when going between HTTP and SSL

Status
Not open for further replies.
mluken

mluken

Programmer
Dec 31, 2003
54
US
This seems pretty easy in theory to me, but I am stumped. I have a webapp running on Tomcat 4.1. A user signs in and I authenticate them based on a MySQL database and all that fun stuff, and add their UserID to the HttpServletRequest.Session if their signon is successful. This is non-secured and running on port 8080. I do not need this section to be secured. However, there is another portion of the site that DOES need to be secured with a certificate. The certificate is installed, and Tomcat is configured to redirect to port 8443 for secured requests. This is working as expected, EXCEPT once they click on that secured link, their Session does not carry over. I understand why, as the session is set on 8080 and the secured site is on 8443. But there has to be a way to keep that session alive?

This seems so simple to me but I am striking out! Any help or thoughts would be greatly appreciated!

Thanks!
 
Sort by date Sort by votes
The link that goes to the secure area is set by security constraint in web.xml or is it a link starting with https://
?
 
Upvote 0 Downvote
Upvote 0 Downvote
The just implemented the solution found below and it works !

Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
Author: r_klemme Dec 3, 2001 8:54 AM (reply 2 of 12)
hm, i do not have a solution but typically you don't do a secure login and then redirect to an insecure page. the normal scenario is to log into a secure page and stay secure. as far as i know HTTPS establishes its own kind of session which might be connected to the servlet session somehow. if that is the case then it's clear, that the HTTPS session is lost when you switch over to HTTP.

what could work is to have an initial page with HTTP, which creates a session (creating a cookie on in the browser or switching to URL rewriting) and only after that switch to HTTPS (and maybe switch back).

i guess you'll have to try out. sorry.

robert
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ankitbarmagajma
  • Locked
  • Question
What is a SAN, and how is it used?
Replies
1
Views
6K
wudtecker
wudtecker
frztcam
  • Locked
  • Question
http://getnutritionshelp.com/max-trim-365/
Replies
0
Views
801
frztcam
frztcam
ChrisCas
  • Locked
  • Question
Tomcat & SSL - "Empty reply from server" 1
Replies
1
Views
362
ChrisCas
ChrisCas
Leonard888
  • Locked
  • Question
SSL Configuration for Apache Tomcat 5.5 Servlet/JSP Container
Replies
1
Views
472
Diancecht
Diancecht
PuterMonkey
  • Locked
  • Question
Disable SSL 3.0 on Tomcat7w running on Server 2008 R2
Replies
1
Views
302
Diancecht
Diancecht

Part and Inventory Search

Sponsor

Back
Top