Can Tomcat provide seperate (or HTTPS only) sessions for HTTPS requests?

Posted by Joe on Stack Overflow See other posts from Stack Overflow or by Joe
Published on 2010-03-23T15:14:54Z Indexed on 2010/03/24 8:23 UTC
Read the original article Hit count: 261

Filed under:
|
|
|

I have a web application which contains both secure (SSL) and non-secure pages.

A user can login to the site and must appear logged-in in both the SSL and non-SSL areas.

(NB. SSL isn't implemented via Tomcat, but via Apache HTTPD servers which sit in front of Tomcat - so Tomcat has no SSL configuration.)

The logged-in state is currently maintained via a servlet session (using Tomcat's vanilla session management).

The obvious issue with this approach is that the JSESSIONID cookie is transported over both HTTP and HTTPS connections, meaning that it's potentially possible to intercept it and hijack the session.

Are there any solutions to this without rolling our own session management (i.e. does Tomcat cater for this situation)?

I'm prepared to implement our own session management, but don't want to reinvent something that may already be supported.

© Stack Overflow or respective owner

Related posts about java

Related posts about tomcat