Jahia Dev Forum > session sharing...

0 (0 Good)
0 (0 Bad)

session sharing between https and http on jahia 6.6.0.0

by  namitgupta »  2013/02/22 09:22

Hi All,

I have requirement for protecting certain pages of a webapp built on top of Jahia6.6.0.0 using SSL. I have installed the certificate on the webserver (apache) which is in front of the Jahia (Appserver: Out of the Box Tomcat). Alaso, I have enabled and customized the ssl-urlrewrite.xml. The redirect rules used are as follows:

 

 

<rule enabled="true">
<name>Rule for Administration</name>
<note>Automatically redirects adminstration requests to a secure protocol.</note>
<condition type="scheme" operator="equal">^http$</condition>
<from>^/administration(.*)$</from>
<to type="permanent-redirect" last="true">https://%{server-name}/administration</to>
</rule>
 
<rule enabled="true">
<name>Rule for Start</name>
<note>Automatically redirects adminstration requests to a secure protocol.</note>
<condition type="scheme" operator="equal">^http$</condition>
<from>^/start(.*)$</from>
<to type="permanent-redirect" last="true">https://%{server-name}/start</to>
</rule>
 
<rule enabled="true">
<name>Rule for login</name>
<note>Automatically redirects adminstration requests to a secure protocol.</note>
<condition type="scheme" operator="equal">^http$</condition>
<from>^/cms/en/sites/ee/login(.*)$</from>
<to type="permanent-redirect">https://%{server-name}/cms/en/sites/ee/login.html</to>
</rule>
 
The issue here is that we are not able to maintain session between the SSL and non-ssl requests. whenever, a transition happens between https and http pages, the session ID is lost and the user is prompted to login again. I understand that the Tomcat 6 doesn't allow sharing session ID between SSL and non-ssl requests due to security reasons. However, I would like to know if there is a way I can achieve this functionality as making entire website SSL compliant would result in  heavy consumption of server resources and significant performance degradation.
 
Please let me know if any one has ever come across a similar issue.
 
Regards,
Namit
  • session sharing between https and http on jahia 6.6.0.0
    2013/02/22 09:22

    namitgupta <p> Hi All,</p> <p> I have requirement for protecting certain pages of a webapp built on top of Jahia6.6.0.0 using SSL. I have installed the certificate on the webserver (apache) which is in front of the Jahia (Appserver: Out of the Box Tomcat). Alaso, I have enabled and customized the ssl-urlrewrite.xml. The redirect rules used are as follows:</p> <p> &nbsp;</p> <p> &nbsp;</p> <div> &lt;rule enabled=&quot;true&quot;&gt;</div> <div> &lt;name&gt;Rule for Administration&lt;/name&gt;</div> <div> &lt;note&gt;Automatically redirects adminstration requests to a secure protocol.&lt;/note&gt;</div> <div> &lt;condition type=&quot;scheme&quot; operator=&quot;equal&quot;&gt;^http$&lt;/condition&gt;</div> <div> &lt;from&gt;^/administration(.*)$&lt;/from&gt;</div> <div> &lt;to type=&quot;permanent-redirect&quot; last=&quot;true&quot;&gt;https://%{server-name}/administration&lt;/to&gt;</div> <div> &lt;/rule&gt;</div> <div> &nbsp;</div> <div> &lt;rule enabled=&quot;true&quot;&gt;</div> <div> &lt;name&gt;Rule for Start&lt;/name&gt;</div> <div> &lt;note&gt;Automatically redirects adminstration requests to a secure protocol.&lt;/note&gt;</div> <div> &lt;condition type=&quot;scheme&quot; operator=&quot;equal&quot;&gt;^http$&lt;/condition&gt;</div> <div> &lt;from&gt;^/start(.*)$&lt;/from&gt;</div> <div> &lt;to type=&quot;permanent-redirect&quot; last=&quot;true&quot;&gt;https://%{server-name}/start&lt;/to&gt;</div> <div> &lt;/rule&gt;</div> <div> &nbsp;</div> <div> &lt;rule enabled=&quot;true&quot;&gt;</div> <div> &lt;name&gt;Rule for login&lt;/name&gt;</div> <div> &lt;note&gt;Automatically redirects adminstration requests to a secure protocol.&lt;/note&gt;</div> <div> &lt;condition type=&quot;scheme&quot; operator=&quot;equal&quot;&gt;^http$&lt;/condition&gt;</div> <div> &lt;from&gt;^/cms/en/sites/ee/login(.*)$&lt;/from&gt;</div> <div> &lt;to type=&quot;permanent-redirect&quot;&gt;https://%{server-name}/cms/en/sites/ee/login.html&lt;/to&gt;</div> <div> &lt;/rule&gt;</div> <div> &nbsp;</div> <div> The issue here is that we are not able to maintain session between the SSL and non-ssl requests. whenever, a transition happens between https and http pages, the session ID is lost and the user is prompted to login again. I understand that the Tomcat 6 doesn&#39;t allow sharing session ID between SSL and non-ssl requests due to security reasons. However, I would like to know if there is a way I can achieve this functionality as making entire website SSL compliant would result in &nbsp;heavy consumption of server resources and significant performance degradation.</div> <div> &nbsp;</div> <div> Please let me know if any one has ever come across a similar issue.</div> <div> &nbsp;</div> <div> Regards,</div> <div> Namit</div>

  • Number of messages  36
    Registration date Feb 22, 2013
    0 (0 Good)
    0 (0 Bad)

    Re: session sharing between https and http on jahia 6.6.0.0

    by  dgriffon »  2013/12/26 10:13

    Hello,

    Unfortunately, for the same security reasons as tomact, Jahia do not provide such kind of functionality. It is not possible to share user sessions between http and https.

    best regards,

    David

    David Griffon (dgriffon)

    Number of messages  76
    Registration date
    Contact
    Share
    Feedback

    Get in touch

    Whether you are a current user or if you are just evaluating Jahia, we are here to help.

    Contact us

    Share this page