java Tomcat,在从 HTTPS 移动到 HTTP 时保持会话
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4635425/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Tomcat, keep session when moving from HTTPS to HTTP
提问by rlovtang
I have a Java application running on Tomcat 6.0.29, with Apache 2.2.3 in front. The login page uses HTTPS, while most pages use HTTP.
我有一个在 Tomcat 6.0.29 上运行的 Java 应用程序,前面是 Apache 2.2.3。登录页面使用 HTTPS,而大多数页面使用 HTTP。
If a user tries to access a page (HTTP) that is login protected, he gets redirected to the login page (HTTPS), logs in, then gets redirected back to the originally requested page. This works great, as the JSESSIONID cookie is set as non-secure, and used for both HTTP and HTTPS.
如果用户尝试访问受登录保护的页面 (HTTP),他将被重定向到登录页面 (HTTPS),登录,然后被重定向回最初请求的页面。这很有效,因为 JSESSIONID cookie 被设置为非安全,并用于 HTTP 和 HTTPS。
However, if the user starts at the login page (HTTPS), the JSESSIONID cookie is set as Secure, and thus the session is not available after login when redirecting to pages under HTTP, forcing a new session and redirect to login page again. This time it works though, because this time the JSESSIONID cookie is set as non-secure.
但是,如果用户从登录页面(HTTPS)开始,JSESSIONID cookie被设置为Secure,因此当重定向到HTTP下的页面时,登录后会话不可用,强制新会话并再次重定向到登录页面。这一次它起作用了,因为这次 JSESSIONID cookie 被设置为非安全。
How can I avoid that users have to log in twice when they hit the login page first?
如何避免用户在第一次点击登录页面时必须登录两次?
回答by Pat
(Update: for clarity) Starting with the login Http get/post use https and use https through out the user's logged in session.
(更新:为了清楚起见)从登录 Http get/post 开始使用 https,并在用户登录的会话中使用 https。
Use Http only when there is no logged in user.
仅当没有登录用户时才使用 Http。
There is a reason that cookies are not allow to cross protocol boundaries - it is an attack vector! (* see update below)
cookie 不允许跨越协议边界是有原因的——它是一种攻击媒介!(*见下面的更新)
How to do this very bad idea
如何做这个非常糟糕的主意
If you really insist, encode the jsessionId in the redirect to the http url ( or always encode the jsession id in the url). When Tomcat gets the http redirect, tomcat should find the session and continue.
如果您真的坚持,请将重定向中的 jsessionId 编码到 http url(或始终在 url 中对 jsession id 进行编码)。当 Tomcat 获得 http 重定向时,tomcat 应该找到会话并继续。
Why you shouldn't do this
为什么你不应该这样做
Seriously, any site that mixes https and http content on the same page is just opening themselves to all sorts of fun (and easy) attacks.
说真的,任何在同一页面上混合 https 和 http 内容的网站都会让自己受到各种有趣(且简单)的攻击。
Going from https to keep the login "secure" is pointless if the rest of the session is in cleartext. So what that the username/password (probably just the password) is protected?
如果会话的其余部分是明文,那么从 https 保持登录“安全”是没有意义的。那么用户名/密码(可能只是密码)受到什么保护?
Using the ever-popular man-in-the-middle attack, the attacker just copies the session id and uses that to have fun. Since most sites don't expire sessions that stay active, the MIM effectively has full access as if they had the password.
使用一直流行的中间人攻击,攻击者只需复制会话 ID 并使用它来获得乐趣。由于大多数站点不会使保持活动的会话过期,因此 MIM 有效地拥有完全访问权限,就像他们拥有密码一样。
If you think https is expensive in terms of performance look here, or just search. Easiest way to improve https performance to acceptable is to make sure the server is setting keep-alive on the connection.
如果您认为 https 在性能方面很昂贵,请查看此处,或者只是搜索。将 https 性能提高到可接受的最简单方法是确保服务器在连接上设置保持活动状态。
update 1: For more see Session HiHymaning, or Http Cookie Theft
update 2: See Firesheep Firefox pluginfor how to do this quick and easy.
更新 1:有关更多信息,请参阅会话劫持或Http Cookie 盗窃
更新 2:请参阅Firesheep Firefox 插件以了解如何快速轻松地执行此操作。
