Can Tomcat provide seperate (or HTTPS only) sessions for HTTPS requests?
Posted
by Joe
on Stack Overflow
See other posts from Stack Overflow
or by Joe
Published on 2010-03-23T15:14:54Z
Indexed on
2010/03/24
8:23 UTC
Read the original article
Hit count: 266
I have a web application which contains both secure (SSL) and non-secure pages.
A user can login to the site and must appear logged-in in both the SSL and non-SSL areas.
(NB. SSL isn't implemented via Tomcat, but via Apache HTTPD servers which sit in front of Tomcat - so Tomcat has no SSL configuration.)
The logged-in state is currently maintained via a servlet session (using Tomcat's vanilla session management).
The obvious issue with this approach is that the JSESSIONID cookie is transported over both HTTP and HTTPS connections, meaning that it's potentially possible to intercept it and hijack the session.
Are there any solutions to this without rolling our own session management (i.e. does Tomcat cater for this situation)?
I'm prepared to implement our own session management, but don't want to reinvent something that may already be supported.
© Stack Overflow or respective owner