users@glassfish.java.net

Re: How to shareJSESSIONID Session cookie between HTTP and HTTPS?

From: Joerg Gippert <jgippert_at_online.de>
Date: Wed, 7 May 2008 16:06:01 +0200

Hello,

I am actually facing the same problem. As far as I understand, everytime you
switch between HTTP and HTTPS you get a new session assigned (if session
tracking is on). What you may have found is probably some class of the
Single Sign On mechanism of GF but I'm not sure. I haven't started
programming anythin yet regarding the HTTP HTTPS switch but I'm thinking
about placing a cookie to see if someone has already logged in or not. But I
don't think it's not the safest way. Analysing similar features on
Amazon.com & others, tells me, the only way to do HTTP/HTTPS switching is
via cookies (if you have an Amazon account, set your browser to not allow
any cookies and then try to log in).

Cheers,
Joerg


----- Original Message -----
From: <glassfish_at_javadesktop.org>
To: <users_at_glassfish.dev.java.net>
Sent: Wednesday, May 07, 2008 4:45 AM
Subject: How to shareJSESSIONID Session cookie between HTTP and HTTPS?


> We have a web module which we are running in a split ssl / non ssl mode.
> On our production system, our glassfish instance is running behind apache
> and the session cookie is working as we expect because the connection
> between the proxy connection is always http (available in both "modes").
>
> We were hoping you would know of a way to configure glassfish v2 to allow
> the JSESSIONID to be available on both ssl and non ssl connections. By
> default if you are authenticating via SSL connection, then the JSESSIONID
> cookie explicitly has secured only true hence for all the HTTP connection
> made, the cookie is not sent across and hence user is treated as not
> logged in!
>
> In the CVS source tree, we found
> http://wiki.glassfish.java.net/Wiki.jsp?page=SessionTrackingCookieConfig
> which appears to have this capability but it was not clear how to affect
> this behavior from the configuration properties.
>
> Could you please let us know how to make JSESSIONID cookie unsecured?
>
> Thanks!
> [Message sent by forum member 'girixkumar' (girixkumar)]
>
> http://forums.java.net/jive/thread.jspa?messageID=273056
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>