A: 

Are you using a simple reverse proxy to connect to Tomcat? If that's your case, use mod_proxy_ajp to use AJP to connect Apache HTTP Server to Tomcat Application Server.

Pablo Santa Cruz  2010-10-26 17:58:49
Yes, mod_ajp is in use on my server. It connects/forwards requests for JSP pages to Tomcat...correct?
katura20  2010-10-26 18:18:00
`mod_ajp`? Did you mean `mod_proxy_ajp` or `mod_jk`? It's not cleared what the impact of this is regarding the problem between HTTPS and HTTP, even compared with `mod_proxy_http`.
Bruno  2010-10-26 18:20:24
I'm sorry, yes, it is mod_jk, not mod_ajp, my apologies.
katura20  2010-10-26 18:24:52
@Bruno: yes, I meant `mod_proxy_ajp`.
Pablo Santa Cruz  2010-10-26 18:38:41
+3  A: 

Allowing the user to use the same session after logging in is a security vulnerability. Tomcat by default does not allow sessions to migrate from SSL to non SSL pages.

You should change your logic so if a user is doing a login, the session is silently updated, and logged in instead of going to the session expired page.

Byron Whitlock  2010-10-26 18:06:31
The best idea I can come up with, is to recreate the session att's that were lost, and do this during the validation of the username/password params, so that the logic of the pages doesn't think that the session has expired. Does that sound logical?
katura20  2010-10-26 18:36:41
I tried my idea out - I've noticed that when I login the 1st time, its successful, but when I logout and log back in the 2nd time, in the same session, its acting as it was before, sending me to session expired. I should also mention that I've made use of response.encodeURL() for every link on my site. I noticed that when I'm on an http page, the http type links have JSESSIONID present, but the https links do not. Is this adding to my problem some how?
katura20  2010-10-26 19:21:44
+1  A: 

It's likely that you're using "secure cookies" to maintain the session: these cookies don't propagate from HTTPS to HTTP. This is generally a good thing.

You can chose not to do this, but when you transfer a session from HTTPS to HTTP you have to take extra care that you don't allow it to be reused over HTTPS later, as it may have been compromised.

Bruno  2010-10-26 18:10:12
I don't believe I'm using "secure cookies" only because I haven't configured anything on Tomcat for such. I'm using session attributes, that's pretty much it.
katura20  2010-10-26 18:19:26
Secure cookies are probably the default (that would be sensible anyway), see @Byron Whitlock's answer.
Bruno  2010-10-26 18:24:55

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.