?
Solved

Allowing Multiple HTTPS Sessions Within The Same Browser Session

Posted on 2005-03-15
10
Medium Priority
?
172 Views
Last Modified: 2010-04-01
Hi there,

I have two seperate webapps running on HTTPS protocol (listening on port 443) using 2 different certicates.

When users access the first HTTPS webapp the browser will prompt them to accept the certificate once, their sessions will be valid throughout the pages in the same webapp. But then when I try to portforward them to another HTTPS webapp through another port, let's say 9800, within the same IP, the second webapp page will prompt the user to accept the new certificate of it (which it should) and then the session of the first webapp will no longer be valid. (The session id has changed).

To make things  clear here's the portforwarding process:

https://mymachineip:443/webapp1

to

https://mymachineip:9800/webapp2

I use javascript window.open to open a new window for the second webapp, while maintaing the 1st webapp page in the old browser window (because some services are still needed). My main question is, can I create a brand new session for the HTTPS page? I have seen some old threads posted here but the solutions do not apply successfully to the HTTPS webapp. FYI if both HTTPS Webapps use the same cert then no problem will occur. It works well too if both webapps are HTTP protocol.

Any advice from the experts would be helpful. Maybe some workarounds too. Thanks in advance.
0
Comment
Question by:ceoconsultancy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
10 Comments
 
LVL 35

Expert Comment

by:TimYates
ID: 13543392
Is this with Internet Explorer?

You can try:

1. Start Internet Explorer, then choose Tools | Internet Options
2. Change to Advanced tab
3. In the list, under Browsing node unselect Reuse windows for launching shortcuts checkbox
4. Press OK
0
 
LVL 29

Accepted Solution

by:
bloodredsun earned 2000 total points
ID: 13543633
I suppose that you could force this behaviour by disabiling cookie based session and use url rewriting to put the jsessionid in the url. If you do this you should be able to pass the jsession quite easily.

 It just depends on whether your hosting machine will be able to use the session in a cross context manner across the two webapps...
0
 

Author Comment

by:ceoconsultancy
ID: 13552287
Sorry YimYates that trick doesn't work, even if it does we do not want to educate the users to do it that way. (It's hard to educate non-computer-literate users). Anyway it does work if we use runtime to open a new window, but that's not what we want.

Yeah url rewriting could be a solution, but i need to clarify one thing before i proceed blindly to the implementation because it involves too many links to be encoded. I m not sure if it works with this https browser behavior:

Everytime user click yes to accept a new cert in the child window (2nd webapp),  the session of both parent and child window changes (and will be invalidated). And then user switches back to the parent window and tries to access other links, he/she will be prompted to accept the cert for the parent window again (1st webapp), and thus causing the session to change again. In short, switching the access between the 2 windows will constantly prompt the users to accept the certificates of one another (This might annoy them), and refresh the window session as well.

How could url rewritting work with this situation? I believe dropping the jsessionid alone wouldn't be sufficient. The session refreshes too frequently. Any solution for this?

FYI even if we force the users to install the certificate the IE still prompt user for ack before it loads the page....

Another quick question: Any security concern if we have both webapps sharing the same certificate? Thanks in advance!

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 29

Expert Comment

by:bloodredsun
ID: 13731867
>>Yeah url rewriting could be a solution
Not sure if it was a solution but I proposed a possible one.
0
 
LVL 29

Expert Comment

by:bloodredsun
ID: 14232267
As long as "YimYates" has no objections ;-)
0
 
LVL 35

Expert Comment

by:TimYates
ID: 14233571
I asked him, and he said it was fine ;-)

hehehe
0
 
LVL 29

Expert Comment

by:bloodredsun
ID: 14236141
You're such a "dag"!
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question