This content has been marked as final. Show 6 replies
Try using ProtocolSwitchServlet to when you make transitions between secure and non-secure pages.
Don't really see how the ProtocolSwitchServlet addresses this issue.
It a default Jboss behavior o secure JSESSIOn cookie for HTTPS request but I think you can configure Jboss not to secure JSESSION cookie for HTTPS requests.
Thought its not always recommended because of security vulnerability. I malicious user can steel your cookie from HTTP request.
The other recommended way is to implement HTTPS throughout your website. Obviously it also comes with a cost in tearms of SSL overhead, cost over head, and if you are using cross domain session cookie where one domain is secure other not.
It is certainly JBOSS default behavior to issue a secure cookie when the first request to the site is done over https. There is no way to configure jboss to not use the secure cookie as far as I know - something custom is required here.
For a site that uses a mix of http and https, this behavior makes no sense to me. The secure cookie is only issued if your first hit happens to be over https, which is rare. Most of the time, your first hit will be http, in which case a non-secure cookie is issued and used for the remainder of the session.
I have not tried this but see if you can override the default cookie behavior using the custom filter approaches mentioned in the following resources.
http://forum.springsource.org/archive/index.php/t-65651.html (refer to comments by user "csw199")
Did you try setting
<SessionCookie path="/" secure="false" httpOnly="false"/>
in J2EE application context.xml?
Also "everything on HTTPS" is the the recommended approach by security experts. Having both HTTP and HTTPS on your site open vulnerability towards MITM attack.