users@glassfish.java.net

Re: http session lost when switching from https to http (on cluster)

From: Jan Luehe <Jan.Luehe_at_Sun.COM>
Date: Thu, 26 Feb 2009 09:45:10 -0800

On 02/26/09 04:09 AM, glassfish_at_javadesktop.org wrote:
> Hi,
>
> I'm trying to setup glassfish cluster, one node with two instances. It starts without problem, I can deploy sample applications and http session is maintained between instances. Except one scenario:
>
> open unsecure pages (http://)
> open secure pages (https://)
> open unsecure page again - here session is lost
>
> It does not matter if I switch between instances or not
>
> I have found that the JSESSIONIDVERSION cookie is not sent when I open unsecure page from secure page.
>
> Does anyone have similar problem?
>
> I'm using GlassFish v2.1 b60e, jdk 1.6.0_07 on Ubuntu 8.04.
> Testing with Firefox 3 and opera 9.6.
>

Thanks for this report!

Here's an explanation for what you are seeing:

Unlike a JSESSIONID cookie, a JSESSIONIDVERSION cookie is delivered
with every response.

In your scenario, the (first) request that initiates the session is over
HTTP.
As a result, the JSESSIONID cookie returned with the response is marked
as non-secure, meaning it will be returned by the client with any subsequent
requests targeted to your app, regardless of whether those requests are over
HTTP or HTTPS.

If one of the subsequent requests is over HTTPS, the returned
JSESSIONIDVERSION cookie will be marked as secure, meaning it will *not*
be returned by the client with a subsequent HTTP request.

This is exactly what you are seeing!

One way to fix this would be to have the JSESSIONIDVERSION cookie
always inherit the security setting of the associated JSESSIONID cookie,
instead of the security setting from the request.


Jan

> [Message sent by forum member 'adeboinfo' (adeboinfo)]
>
> http://forums.java.net/jive/thread.jspa?messageID=333977
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>