Philippe Mouawad (Migrated from SEC-1660) said:
Hello, In your documentation here: http://static.springsource.org/spring-security/site/faq.html#faq-tomcat-https-session
You say: I'm using Tomcat (or some other servlet container) and have enabled HTTPS for my login page, switching back to HTTP afterwards. It doesn't work - I just end up back at the login page after authenticating. This happens because sessions created under HTTPS, for which the session cookie is marked as "secure", cannot subsequently be used under HTTP. The browser will not send the cookie back to the server and any session state will be lost (including the security context information). Starting a session in HTTP first should work as the session cookie won't be marked as secure.
I may be wrong but I don't understand how this can work.
Later when we authenticate, defaults policy (SessionFixationProtectionStrategy) will create a new Session and SessionFixationProtectionStrategy will make it copy attributes,
since this new session is in HTTPS so Cookie marked as secure, later when we switch back to HTTP cookie will consequently not be transmitted resulting
in either a new session being created or the old invalidated one.
This can be fixed by using a org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
used by both
session-management invalid-session-url="/sessionTimeout.do2" session-authentication-strategy-ref="sas"
Maybe you should indicate it in documentation because many people have this issue.
I think issue affects more versions.
Luke Taylor said:
Thanks for pointing this out. I've updated the FAQ to mention this, and also to clarify that switching between HTTP and HTTPS is a bad idea in general.