Link to home
Create AccountLog in
Avatar of SnoopJonny
SnoopJonnyFlag for United States of America

asked on

Session dropped when switching from HTTP to HTTPS

I'm developing a custom shopping cart site with JSP and Torque on Tomcat.  The customer shops for products at:

http://www.mydomain.com/ 

and when they're ready to check out, they click a "check out" button and they're sent to:

https://secure.mydomain.com/

but the session gets dropped.  The cart empties out on the secure side.  Both hosts are on the same machine and the same instance of tomcat.  I figured the problem might be the host names, so I tried starting out on:

http://secure.mydomain.com/  and checking out with https://secure.mydomain.com/

and I have the same problem.  I want to avoid URL encoding because I have some flash navigation that I can't get rid of at this time.  I'm wondering if there's a solution I'm not thinking of.  I can grab the session id from the http instance of the site, but I don't know how to tell the https instance to use it.

Any help is appreciated.  Thanks!
Avatar of Mick Barry
Mick Barry
Flag of Australia image

its a bit tricky, simplest is to use https for the entire site
have a read of the solution offered here

http://forum.java.sun.com/thread.jspa?threadID=197150&messageID=2255222

There is a framework which deal the security on a very clear and declarative way - Acegi Security (http://www.acegisecurity.org) but you will have to introduce Spring framework (http://www.springframework.org) into your project, in order that Acegi works. You can find a lot of articles on the net how to integrate this frameworks into your project (e.g. http://java-x.blogspot.com/2006/12/spring-security-with-acegi-security.html).

Acegi could provide you a lot of things, but you can reuse it just for assiging which URLs (jsp pages in your case) will be forced to go through https (secure) connection and which should go always throught stardard http connection. This acegi filter is called securityChannelProcessingFilter and the configuration would be something similar to next code (all jsp pages under /secure folder will be forced to go over secure channel - all other jsps must go over insecure - http channel):



	<bean id="securityChannelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter">
		<property name="channelDecisionManager"><ref bean="channelDecisionManager"/></property>
		<property name="filterInvocationDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/secure/*.jsp=REQUIRES_SECURE_CHANNEL
				/*.jsp=REQUIRES_INSECURE_CHANNEL
			</value>
		</property>
	</bean>

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Kuldeepchaturvedi
Kuldeepchaturvedi
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of SnoopJonny

ASKER

I must have had a secure cookie pre-set that was prohibiting me from seeing that this was working.
Sometimes All it takes is second pair of eyes...:-),
Glad to be of help.
Thanks for the help!