Cookie issue when switching between HTTP and HTTPS on Tomcat

Question

I am working on a scenario where site is present on both HTTP & HTTPS.

When user has logged-in to HTTPS site, "secure" cookies for JSESSIONID is stored in browser. If user closes browser, and comes back - and this time wishes to use HTTP login - the user is not able to login, as browser would not store the new "insecure" JSESSIONID in browser, and also won't send the previously stored secure cookie to server.

My question is:

1. Is there a way that when user logs in using HTTP, the server can send new "insecure" cookie in a way that it will convert the existing "secure" cookie to "insecure" cookie with new value?

2. Is there a way to ask Tomcat to use different cookie name for JSESSIONID in secure and insecure connections?

I tried to look up on internet - but it seems there is no way to do this. In such case, end user may think that site is not working.

Note: Yes, we can force user to use HTTPS always. In fact, this is what we are trying to do. However, we have an option in the web app to disable HTTPS. So, this is what is happening - user thinks "This app is forcing me to use HTTPS, I don't want to use it. Let me disable it". To disable HTTPS, user logs into the site on HTTPS version, disables HTTPS port - which triggers server restart. User now visits HTTP site - but she can't login as the user never logged out of HTTPS session - and those cookies are still around. This is being seen as Usability issue, and I am trying to figure a way out of this.

Answer 1

I ended up creating separate cookie names for HTTP & HTTPS sites.

Since our application is packaged and given to customers, they have option of turning off HTTP or HTTPS. When HTTPS is turned on, we are redirecting all HTTP users to respective HTTPS site. The issue appears when customer admin decides to disable HTTPS, then, some users who have been using HTTPS and had not explicitly logged out of the system, they were stuck with secure cookies in browser cache - and could not login to system from HTTP site. Workaround, of course, is to clear browser cache - but to avoid support calls, we were trying to find something that is transparent to user.

When site had HTTPS enabled, we could use set up Tomcat session cookie name to be JSESSIONID_HTTPS. This is somewhat a gist of what I had to make:

ServletContext sc = ....
SessionCookieConfig cookieConfig = sc.getSessionCookieConfig();

if (isHttpsEnabled) {
   cookieConfig.setName("JSESSIONID_HTTPS");
} else {
   cookieConfig.setName("JSESSIONID_HTTP");
}

Answer 2

Tomcat will allow authentication without a secure channel.

Tomcat will only create a cookie with the "secure" flag set if the request came across a "secure" channel or if your <cookie-config> in WEB-INF/web.xml directs the container to use a secure cookie.

You must have configured either Tomcat or your application in some way to cause non-secure logins to fail.

Servers cannot re-write cookies on the client to change a "secure" cookie to a "non-secure" cookie. Cookies with the same name (e.g. JSESSIONID) for the same hostname and path will be handled according to the rules for cookie-handling. I recommend reading RFC 6265 for more information.