SEC-1660: Switch from HTTPS to HTTP does not work on Tomcat wont work if session-fixation protection is enabled #1898

Closed
spring-issuemaster opened this Issue Jan 20, 2011 · 1 comment

1 participant

@spring-issuemaster

Philippe Mouawad (Migrated from SEC-1660) said:

Hello, In your documentation here: http://static.springsource.org/spring-security/site/faq.html#faq-tomcat-https-session

You say: I'm using Tomcat (or some other servlet container) and have enabled HTTPS for my login page, switching back to HTTP afterwards. It doesn't work - I just end up back at the login page after authenticating. This happens because sessions created under HTTPS, for which the session cookie is marked as "secure", cannot subsequently be used under HTTP. The browser will not send the cookie back to the server and any session state will be lost (including the security context information). Starting a session in HTTP first should work as the session cookie won't be marked as secure.

I may be wrong but I don't understand how this can work.
Later when we authenticate, defaults policy (SessionFixationProtectionStrategy) will create a new Session and SessionFixationProtectionStrategy will make it copy attributes,
since this new session is in HTTPS so Cookie marked as secure, later when we switch back to HTTP cookie will consequently not be transmitted resulting
in either a new session being created or the old invalidated one.
This can be fixed by using a org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
used by both

  • session-management invalid-session-url="/sessionTimeout.do2" session-authentication-strategy-ref="sas"
    -org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter

    Maybe you should indicate it in documentation because many people have this issue.
    I think issue affects more versions.

Philippe

@spring-issuemaster

Luke Taylor said:

Thanks for pointing this out. I've updated the FAQ to mention this, and also to clarify that switching between HTTP and HTTPS is a bad idea in general.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment