views:

209

answers:

1

I have a web application which contains both secure (SSL) and non-secure pages.

A user can login to the site and must appear logged-in in both the SSL and non-SSL areas.

(NB. SSL isn't implemented via Tomcat, but via Apache HTTPD servers which sit in front of Tomcat - so Tomcat has no SSL configuration.)

The logged-in state is currently maintained via a servlet session (using Tomcat's vanilla session management).

The obvious issue with this approach is that the JSESSIONID cookie is transported over both HTTP and HTTPS connections, meaning that it's potentially possible to intercept it and hijack the session.

Are there any solutions to this without rolling our own session management (i.e. does Tomcat cater for this situation)?

I'm prepared to implement our own session management, but don't want to reinvent something that may already be supported.

+3  A: 

You say the SSL is implemented on the Apache server and not passed down to Tomcat, so Tomcat treats the whole journey as HTTP? If so, Tomcat will not create separate JSESSIONIDs since it is not aware of the HTTPS.

You can check the request.getUserPrincipal() to see if user is logged-in.

JoseK
Good point, although the header is forwarded so the HTTPS flag is present - however Tomcat probably doesn't consider that.Thanks for the reminder about user principal (too long spent with home-grown auth methods :)
Joe