Reputation: 810
Session is not getting maintained between https and http
In my JSP/servlet application some pages are in https and others in only http. The login page is in https, and I've noticed that when I login and redirect to an http page,then the session is not being maintained.Anyone could help me to fix this issue?
Upvotes: 2
Views: 1004
Answers (2)
Reputation: 4873
Thats because the redirect url that you direct to, doesnt not have jsessionid.
try this
response.sendRedirect(response.encodeRedirectURL(contextPath + "/myServlet"));
but please be aware since you are exposing the sessionid in the url , your exposing your webapp for a Session Fixation Attack
Upvotes: 0
Reputation: 3186
You should not move from HTTPS to HTTP as you will loose confidentiality
If you still wish to do this, you can manually pass on the Session ID from login(HTTPS) to the redirected page(HTTP).
The SSL Session ID (attribute name - javax.servlet.request.ssl_session_id) should not be revealed and hence it won't get carried over to HTTP.
Upvotes: 1
Related Questions
- troubles with HttpSession with 2 different requests
- HttpSession doesn't persist from JSP to Servlet
- HttpSession with Servlet + Java not working
- My session not became Null after invalidating the session
- session does not invalidates
- java servlet session maintain
- Java servlets HttpSession
- Tomcat, keep session when moving from HTTPS to HTTP
- JSP - Not able to maintain session between http page and https page
- JSP session variables set in a secure page 'https' are not accessible in a normal 'http' page