关于AJP HTTPS切换HTTP Session失效的问题

基础知识：

Cookie有三种形式：

1.https only: 当服务器从https协议redirect到http协议后，这样的cookie就会失效。

2.http only: 当服务器从http协议redirect到https协议后，这样的cookie就会失效。

3.http and https: 协议切换不会失效

 

标准J2ee的Session使用的Cookie名称是 JSESSIONID.

Tomcat/JBoss服务器在request.isSecure() == false的时候,建立的是第三种形式的JSESSIONID.

当然reques.isSecure() == true时,建立的是第一种形式的JSESSIONID.

AJP的Connect有两个参数:

secure 默认为false

schema 默认为http

 

在Apache使用proxy代理到ajp端口，AJP会收到你当前端口的信息，443/80

AJP构造出来的reqeust会根据这两个端口来设置request的secure值，如果是443,request.isSecure()就等于true.

 

注意:

在AJP收到的端口信息不为0的情况下，无论AJP的Connect配置的secure和schema是什么，他们都是无效的!

 

这个时候，一旦你的Session是在HTTPS下建立的，那么当你Redirect到HTTP端口，你的Session就会失效.

 

我不知道有什么方式让Apache发给AJP的端口值为0.所以目前的解决方案是443端口不进行AJP proxy,使用http proxy替代。

 

 

 

 

评论

1 楼 sy197661944 2012-08-02  

http://static.springsource.org/spring-security/site/faq.html

2.3


I'm using Tomcat (or some other servlet container) and have enabled HTTPS for my login page, switching back to HTTP afterwards. It doesn't work - I just end up back at the login page after authenticating.

This happens because sessions created under HTTPS, for which the session cookie is marked as “secure”, cannot subsequently be used under HTTP. The browser will not send the cookie back to the server and any session state will be lost (including the security context information). Starting a session in HTTP first should work as the session cookie won't be marked as secure (you will also have to disable Spring Security's Session Fixation Protection support to prevent it from creating a new secure session on login (you can always create a new session yourself at a later stage). Note that switching between HTTP and HTTPS is not a good idea in general, as any application which uses HTTP at all is vulnerable to man-in-the-middle attacks. To be truly secure, the user should begin accessing your site in HTTPS and continue using it until they log out. Even clicking on an HTTPS link from a page accessed over HTTP is potentially risky. If you need more convincing, check out a tool like sslstrip.