1

I'm working on a web application that has to use different domains for access over http and https. Now I'm facing the following problem: While the user is accessing the http-domain, some information is stored inside the session. When the user makes the transition to https the information which session the user belongs to is lost (because the session id is stored in the cookie that is associated with the http-domain).

How can I reattach the correct session to the user after he has switched domains?

Is it possible to execute some java-code right before the redirect that is caused by requires-channel="https" is sent?

Edit: I was thinking there might be something specific in Spring Security that could be used, but so far I wasn't able to find anything in the documentation.

Edit 2: Just found out that what I probably need to do is to replace the ChannelProcessingFilter with a custom implementation. But I don't know what I have to do to make spring security to accept my new class instead of the default ChannelProcessingFilter. Note: I'm using Spring 3.0.

B.E.
  • 5,080
  • 4
  • 35
  • 43

2 Answers2

1

We solved the problem by supplying a custom ChannelProcessor that gets executed right before the default ChannelProcessor and sends a redirect that includes the jsessionid as an URL parameter. Then the default ChannelProcessor uses this URL and sends another redirect to the http-domain.

To change the URL-parameter back to the ";"-format for session ids we have some additional directives in the apache:

Header edit Location ^(.*)\?jsessionid=([^&]*)&(.*)$ $1;jsessionid=$2?$3
Header edit Location ^(.*)\?jsessionid=([^&]*)$ $1;jsessionid=$2

The URL is then evaluated by the tomcat and continues the same session on a different domain.

B.E.
  • 5,080
  • 4
  • 35
  • 43
0

Check out this post for information/resolution on this - Session lost when switching from HTTP to HTTPS in PHP

Community
  • 1
  • 1
Saket
  • 45,521
  • 12
  • 59
  • 79