Tomcat是来自HTTPS移动到HTTP时,保持会话 [英] Tomcat, keep session when moving from HTTPS to HTTP
问题描述
我在前面跑在Tomcat 6.0.29的Java应用程序,与Apache 2.2.3。
登录页面使用HTTPS,而大多数的网页使用HTTP。
I have a Java application running on Tomcat 6.0.29, with Apache 2.2.3 in front. The login page uses HTTPS, while most pages use HTTP.
如果一个用户试图访问一个网页(HTTP),即在登录保护,他被重定向到登录页面(HTTPS),登录,然后被重定向回到最初请求的页面。
这个伟大的工程,因为JSESSIONID Cookie设置为非安全,并用于HTTP和HTTPS。
If a user tries to access a page (HTTP) that is login protected, he gets redirected to the login page (HTTPS), logs in, then gets redirected back to the originally requested page. This works great, as the JSESSIONID cookie is set as non-secure, and used for both HTTP and HTTPS.
但是,如果用户开始在登录页面(HTTPS),将JSESSIONID Cookie设置为安全,因此会重定向到下HTTP页面时,迫使一个新的会话并重定向到登录页面登录后无法使用再次。这一次,它的工作原理虽然,因为这时候JSESSIONID Cookie设置为非安全。
However, if the user starts at the login page (HTTPS), the JSESSIONID cookie is set as Secure, and thus the session is not available after login when redirecting to pages under HTTP, forcing a new session and redirect to login page again. This time it works though, because this time the JSESSIONID cookie is set as non-secure.
我怎样才能避免用户必须登录两次,当他们击中登录页第一?
How can I avoid that users have to log in twice when they hit the login page first?
推荐答案
(更新:为清楚起见)的与登录开始HTTP GET / POST使用https和使用https通过了用户的登录会话
(Update: for clarity) Starting with the login Http get/post use https and use https through out the user's logged in session.
使用HTTP只有当没有登录的用户。
Use Http only when there is no logged in user.
有一个原因,Cookie是不允许越过边界的协议 - 这是一个攻击向量! (见下面更新)
There is a reason that cookies are not allow to cross protocol boundaries - it is an attack vector! (* see update below)
如何做到这一点非常糟糕的主意
如果你真的坚持,连接code中的JSESSIONID在重定向到HTTP URL(或总是带code在URL中jsession ID)。当Tomcat得到HTTP重定向,tomcat的应该找会话并继续进行。
If you really insist, encode the jsessionId in the redirect to the http url ( or always encode the jsession id in the url). When Tomcat gets the http redirect, tomcat should find the session and continue.
为什么你不应该这样做
严重的是,它融合在同一页上HTTPS和HTTP内容的网站只是打开自己各种有趣的(容易)攻击。
Seriously, any site that mixes https and http content on the same page is just opening themselves to all sorts of fun (and easy) attacks.
从https要保持登录安全是毫无意义的,如果会话的其余部分是明文。从而使用户名/密码(可能只是密码)保护什么呢?
Going from https to keep the login "secure" is pointless if the rest of the session is in cleartext. So what that the username/password (probably just the password) is protected?
使用广受欢迎的中间人攻击,攻击者只是复制会话ID,并使用该有乐趣。由于大多数网站不会过期的保持活跃会话时,MIM实际上有,如果他们有密码完全访问权限。
Using the ever-popular man-in-the-middle attack, the attacker just copies the session id and uses that to have fun. Since most sites don't expire sessions that stay active, the MIM effectively has full access as if they had the password.
如果您认为HTTPS是昂贵的表现看而言这里,或只是搜索。以提高性能HTTPS到可接受的最简单的方法是确保服务器设置保持活动的连接。
If you think https is expensive in terms of performance look here, or just search. Easiest way to improve https performance to acceptable is to make sure the server is setting keep-alive on the connection.
-
更新1:
欲了解更多请参见会话劫持,或的的HTTP cookie盗窃
更新2:
请参阅如何做到这一点快速和容易 Firesheep Firefox的插件。
这篇关于Tomcat是来自HTTPS移动到HTTP时,保持会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
