Reputation: 19552
How do you properly redirect from an HTTPS page?
Assume I have an SSL connection to a web site from a browser.
From the page I press a button and I am in another part of the site (different page). Under what circumstances would the connection be re-negotiated?
On servler redirect? Forward? What flow?
And what is the correct flow in this case? Note that all site is HTTPS. I.e. there are not plain HTTP areas or external links (adds etc).
Container would be tomcat.
Upvotes: 2
Views: 154
Answers (2)
Reputation: 122599
The SSL/TLS connection would typically be re-negotiated if the server requests it for client-certificate authentication (this is done by disabling client auth on the connector, but asking for CLIENT-CERT authentication within a webapp's web.xml).
Otherwise, the HTTP requests/responses are exchanged as part of the normal pool of concurrent TCP connections made by the browser (this has more to do with HTTP connection re-use than with SSL/TLS), with its usual timeout settings (not specific to SSL/TLS). Modern browsers should be able to re-use SSL/TLS sessions to avoid having to do a full SSL/TLS handshake for each. There is a timeout for SSL/TLS sessions too, but it's usually long enough; re-establishing a new connection will be done transparently by the browser anyway.
There are also various mechanisms to reduce the overhead due to SSL/TLS handshakes (with support depending on the browser), although False Start doesn't seem to be a success.
Upvotes: 2
Reputation: 5366
When you click that button on a web page the connection is established (i.e. a GET or POST to the server). HTTP 1.1. keeps that connection open for the entire request to get all the resources such as the HTML of the web page and subsequent images, CSS, JS, etc. If you wanted to keep the connection open between user-initiated requests, you could look into keep-alive. There is some controversy around if it should be used for https (or even http however).
Despite keep-alive settings, your browser may or may not attempt to keep the connection open for a period of time anyway in case you click something else in say a 60 second window. The above link gives some more detail on this.
Servlet redirects or forwards should have no implications or reasons to renegotiate the connection. It would use the same one as it created when the user clicked the button.
Upvotes: 1
Related Questions
- Tomcat redirect on ERR_BAD_SSL_CLIENT_AUTH_CERT
- HTTP to HTTPS redirection issue with Tomcat 8
- http to https redirect (tomcat/jboss)
- How to redirect requests to https from a servlet
- Java Response Redirect from https to http
- https turns to http when redirecting from one jsp page to other
- SSL Support in Tomcat : Redirect Issue
- redirect from http to https and back to http within java servlet
- Tomcat: Issue with redirecting from HTTP to HTTPS
- redirect to http back after https in tomcat + jsf