users@glassfish.java.net

Re: Passing session between http and https

From: Jan Luehe <Jan.Luehe_at_Sun.COM>
Date: Wed, 14 Oct 2009 16:30:47 -0700

Hi Johnny,

On 10/14/09 14:50, glassfish_at_javadesktop.org wrote:
> Hi,
>
> How do I maintain the session stage between https and http? I lost the user's information when passing session data to a non-SSL page. Thanks for any help!
>

GlassFish provides you with a couple of choices to make HTTP sessions
created as part
of an HTTPS request resumable by an HTTP request:

- If you are using a GlassFish version prior to the upcoming GlassFish
v3, you need to bundle a
sun-web.xml with your app, and set its "cookieSecure" property to
"false", as shown in the following
code snippet:

 <?xml version="1.0" encoding="UTF-8"?>
 <sun-web-app>
   <session-config>
     <cookie-properties>
       <property name="cookieSecure" value="false" />
     </cookie-properties>
   </session-config>
 </sun-web-app>

- The Servlet 3.0 specification, for which GlassFish v3 is the reference
implementation,
provides standard configuration support for container-managed cookies,
so you no longer need the
above sun-web.xml.

Instead, add this snippet to your web.xml:

  <session-config>
    <cookie-config>
      <secure>false</secure>
    </cookie-config>
  </session-config>

or leverage the new programmatic configuration APIs, e.g., from within
a ServletContextListener, as follows:

    public void contextInitialized(ServletContextEvent sce) {
            
sce.getServletContext().getSessionCookieConfig().setSecure(true);
    }


Make sure that your HTTP session does not contain any sensitive data, as
transmitting
an HTTP session in the clear (over HTTP) makes it vulnerable to
hijacking attacks,
since it can be stolen and impersonated by anyone snooping on your
network traffic,
so it's generally considered a bad idea to keep sessions around (as
described above)
when downshifting from HTTPS to HTTP.


Jan


> Regards,
>
> Johnny
> [Message sent by forum member 'tanww888' (tanww888_at_yahoo.com)]
>
> http://forums.java.net/jive/thread.jspa?messageID=367953
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>