-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Prafull,
On 7/30/13 9:44 AM, Prafull wrote: > On Tue, Jul 30, 2013 at 6:51 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Jeffrey, > > On 7/29/13 4:09 PM, Jeffrey Janner wrote: >>>> Thanks for the verification, Mark. I was under the >>>> impression you'd only want to [set secure="true"] if you were >>>> already front-ending the site with something that was doing >>>> the SSL for you (e.g. httpd or a proxy), and the server spoke >>>> HTTP between each other. > > We use secure="true" for loopback-only connectors to avoid the > overhead of SSL when we know the requests are going to come from > localhost (we have Apache Cocoon running in a separate JVM > calling-back to our main webapp for some XML). So there are some > non-fronting use cases, too. > > (Note that mod_jk already sets the "secure" flag with each request > if the original request to httpd came over HTTPS.) > >>>> Our app accepts an initial request to the login page on HTTP, >>>> but should be automatically routed to the HTTPS connector due >>>> to <transport-guarantee> before the page is actually sent >>>> back. Then we actually invalidate the session and create a >>>> new on successful login, and that session/cookie is used for >>>> the rest of the user's time on the site. So all I really need >>>> to do to implement at 6.x is the context change. > > Tomcat changes the session id (without actually destroying the > session) after authentication, so if you are using Tomcat's > authentication, then there is no need for the invalidation you > describe above. > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> Hi Christopher, > > When you say after successful authentication tomcat re-creates a > new session, what do you mean by that? Can you explain it in bit > more details? I didn't say that Tomcat "re-created a new session". In fact, I said the opposite: Tomcat does not destroy the session. Instead, it changes the session identifier associated with the existing session. This is done to prevent session-fixation attacks. You can read all about it here: http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR98zLAAoJEBzwKT+lPKRYgUYP/1NOvgOUEP7Oe74J36pTEzeH ixUJrV2B9Iiju9XLrkhwRwEXALcVyUoDPeXMfGnsoJY5o26XnXLApXDwoNCIGnPu NbbLNOs7syHJsd1ClptU3V8ySQ39X00BRF/qiT+32HmMoSb9gIoMyU7Wj/+Eytpi QJ8a1G2IwyUlCfmfcZSXGbfOTNIO8bwJeeZtRamioCuSrZjVhguB7XK+IL2llhUP sgp5tpc5LXiJaTF/C81i1dJjfffae2/lY/zNWTv7uxBQ+bgQWMG53yR0GRaWVtuo EtM4N79eM/2b5kWCcOHBn7DNmhwITTvsOJGh0TRIMwdVT/AsiKXw4w+REHA9xB6r 0gpGR2Zdpf63IktWwfG/ZnFqmEgbABasV6O4/Vv0Idwxx1D00IyLm1KStvv8sOha 78eQ5RZM+iQ22L3KvBKn+o3spmQ66m7QPr/I9nkbipsTHxDK0MObM8ei6SAhBQec RT7vHk+WoUomaLJUQFnyuIVkiOdPtefsGQM9m8Q5TtQ7hyPRLydUwnSd7yRnUenO nMKfQT/zImhrcXjy8jKH9fVQWBlOmKJNcU/WZogJ7s23PS8/Ei1PLMNiXh60N/Ok xZxQ9LP4O/60EYHE4zRToj95qILnBxqwIhWM9h8lpv/YeqrF9/yltfql0BDXs5XO z+cdjl7S/BFf7ZUNKVmO =B93k -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
