Spring Security
  1. Spring Security
  2. SEC-1660

Switch from HTTPS to HTTP does not work on Tomcat wont work if session-fixation protection is enabled

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.1.0.RC1
    • Component/s: Docs and Website
    • Labels:
      None

      Description

      Hello, In your documentation here: http://static.springsource.org/spring-security/site/faq.html#faq-tomcat-https-session

      You say: I'm using Tomcat (or some other servlet container) and have enabled HTTPS for my login page, switching back to HTTP afterwards. It doesn't work - I just end up back at the login page after authenticating. This happens because sessions created under HTTPS, for which the session cookie is marked as "secure", cannot subsequently be used under HTTP. The browser will not send the cookie back to the server and any session state will be lost (including the security context information). Starting a session in HTTP first should work as the session cookie won't be marked as secure.

      I may be wrong but I don't understand how this can work.
      Later when we authenticate, defaults policy (SessionFixationProtectionStrategy) will create a new Session and SessionFixationProtectionStrategy will make it copy attributes,
      since this new session is in HTTPS so Cookie marked as secure, later when we switch back to HTTP cookie will consequently not be transmitted resulting
      in either a new session being created or the old invalidated one.
      This can be fixed by using a org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
      used by both

      • session-management invalid-session-url="/sessionTimeout.do2" session-authentication-strategy-ref="sas"
        -org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter

      Maybe you should indicate it in documentation because many people have this issue.
      I think issue affects more versions.

      Philippe

        Activity

        Hide
        Luke Taylor added a comment -

        Thanks for pointing this out. I've updated the FAQ to mention this, and also to clarify that switching between HTTP and HTTPS is a bad idea in general.

        Show
        Luke Taylor added a comment - Thanks for pointing this out. I've updated the FAQ to mention this, and also to clarify that switching between HTTP and HTTPS is a bad idea in general.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Philippe Mouawad
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: