2

In my JSP/servlet application some pages are in https and others in only http. The login page is in https, and I've noticed that when I login and redirect to an http page,then the session is not being maintained.Anyone could help me to fix this issue?

Harry Joy
  • 58,650
  • 30
  • 162
  • 207
Alex
  • 790
  • 1
  • 7
  • 22
  • Check this Question [HTTPS to HTTP](http://stackoverflow.com/questions/4635425/tomcat-keep-session-when-moving-from-https-to-http) – Sathesh S Feb 25 '13 at 09:48

2 Answers2

1

You should not move from HTTPS to HTTP as you will loose confidentiality

If you still wish to do this, you can manually pass on the Session ID from login(HTTPS) to the redirected page(HTTP).

The SSL Session ID (attribute name - javax.servlet.request.ssl_session_id) should not be revealed and hence it won't get carried over to HTTP.

Vikas V
  • 3,176
  • 2
  • 37
  • 60
0

Thats because the redirect url that you direct to, doesnt not have jsessionid.

try this

response.sendRedirect(response.encodeRedirectURL(contextPath + "/myServlet"));

but please be aware since you are exposing the sessionid in the url , your exposing your webapp for a Session Fixation Attack

Sudhakar
  • 4,823
  • 2
  • 35
  • 42