Tomcat,在从 HTTPS 移动到 HTTP 时保持会话 [英] Tomcat, keep session when moving from HTTPS to HTTP
问题描述
我有一个在 Tomcat 6.0.29 上运行的 Java 应用程序,前面是 Apache 2.2.3.登录页面使用HTTPS,而大多数页面使用HTTP.
如果用户尝试访问受登录保护的页面 (HTTP),他将被重定向到登录页面 (HTTPS),然后登录,然后被重定向回最初请求的页面.这很有效,因为 JSESSIONID cookie 被设置为非安全,并用于 HTTP 和 HTTPS.
但是,如果用户从登录页面(HTTPS)开始,JSESSIONID cookie被设置为Secure,因此在HTTP下重定向到页面时登录后会话不可用,强制新会话并重定向到登录页面再次.不过这次可以了,因为这次 JSESSIONID cookie 设置为非安全.
如何避免用户在第一次点击登录页面时必须登录两次?
(更新:为了清晰起见)从登录开始 Http get/post 使用 https,并在用户登录的整个会话中使用 https.
只有在没有登录用户的情况下才使用Http.
cookie 不允许跨越协议边界是有原因的——它是一种攻击媒介!(*见下方更新)
如何实现这个非常糟糕的主意
如果您真的坚持,请将重定向中的 jsessionId 编码到 http url(或始终在 url 中编码 jsession id).当 Tomcat 获得 http 重定向时,tomcat 应该找到会话并继续.
为什么不应该这样做
说真的,任何在同一页面上混合 https 和 http 内容的网站都会让自己受到各种有趣(且简单)的攻击.</p>
如果会话的其余部分是明文,那么从 https 保持登录安全"是没有意义的.那么用户名/密码(可能只是密码)受到什么保护?
使用一直流行的中间人攻击,攻击者只需复制会话 ID 并使用它来获得乐趣.由于大多数站点不会使保持活动的会话过期,因此 MIM 有效地拥有完全访问权限,就像他们拥有密码一样.
如果您认为 https 在性能方面很昂贵,请查看这里,或者只是搜索.将 https 性能提高到可接受的最简单方法是确保服务器在连接上设置保持活动状态.
更新 1:有关更多信息,请参阅会话劫持,或Http Cookie 盗窃
更新 2:请参阅 Firesheep Firefox 插件,了解如何快速轻松地执行此操作.
I have a Java application running on Tomcat 6.0.29, with Apache 2.2.3 in front. The login page uses HTTPS, while most pages use HTTP.
If a user tries to access a page (HTTP) that is login protected, he gets redirected to the login page (HTTPS), logs in, then gets redirected back to the originally requested page. This works great, as the JSESSIONID cookie is set as non-secure, and used for both HTTP and HTTPS.
However, if the user starts at the login page (HTTPS), the JSESSIONID cookie is set as Secure, and thus the session is not available after login when redirecting to pages under HTTP, forcing a new session and redirect to login page again. This time it works though, because this time the JSESSIONID cookie is set as non-secure.
How can I avoid that users have to log in twice when they hit the login page first?
(Update: for clarity) Starting with the login Http get/post use https and use https through out the user's logged in session.
Use Http only when there is no logged in user.
There is a reason that cookies are not allow to cross protocol boundaries - it is an attack vector! (* see update below)
How to do this very bad idea
If you really insist, encode the jsessionId in the redirect to the http url ( or always encode the jsession id in the url). When Tomcat gets the http redirect, tomcat should find the session and continue.
Why you shouldn't do this
Seriously, any site that mixes https and http content on the same page is just opening themselves to all sorts of fun (and easy) attacks.
Going from https to keep the login "secure" is pointless if the rest of the session is in cleartext. So what that the username/password (probably just the password) is protected?
Using the ever-popular man-in-the-middle attack, the attacker just copies the session id and uses that to have fun. Since most sites don't expire sessions that stay active, the MIM effectively has full access as if they had the password.
If you think https is expensive in terms of performance look here, or just search. Easiest way to improve https performance to acceptable is to make sure the server is setting keep-alive on the connection.
update 1: For more see Session Hijacking, or Http Cookie Theft
update 2: See Firesheep Firefox plugin for how to do this quick and easy.
这篇关于Tomcat,在从 HTTPS 移动到 HTTP 时保持会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
