[jetty-dev] HTTPS to HTTP cookie issue(cookie config issue when switching between https and http)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[jetty-dev] HTTPS to HTTP cookie issue(cookie config issue when switching between https and http)

M. Sumanth
I have an issue when I login to my machine via HTTPS and then try to login via HTTP.
However, when I clear site data, I can successfully login via HTTP. The problem occur when I login via HTTPS --> logout --> login via HTTP - I can't login again unless I clear site data.
This behaviour is observed after upgrading from jetty 4.2.24 to jetty 9.2.25.

I have tried to fix this by making 'secure' cookie option as false, which is not working.

Am using Jetty 9.2.25 which has Servlet 3.1. I have below cookie configuration in my web.xml

<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>false</secure>
</cookie-config>
</session-config>

When I set this secure flag as true, it's working as expected. But when I set it as false as shown above and access https site, the secure flag is getting modified to true and I am not able to access http site. I don't understand how is this happening? Is this the default behaviour of jetty 9.2.25 or servlet 3.1? I tried to check the Servlet release notes, but there's no such update. pl. provide any documentation links if this behaviour has been recorded as any update.

Any idea regarding this behaviour?

How can I make the secure as false when I access https by default or how to override this flag when I come back to http?

Thanks in advance.

_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] HTTPS to HTTP cookie issue(cookie config issue when switching between https and http)

Jan Bartel
You might want to read issue https://github.com/eclipse/jetty.project/issues/3173 where we've been discussing HTTP/HTTPS session cookie configuration. 

The exact servlet spec behaviour is discussed in the above issue:  if <secure>true</secure>, then the cookie is marked as secure regardless of whether the cookie came from HTTP or HTTPs request;  if <secure>false</secure> then the cookie is marked as secure only if it came from HTTPs.  So I think you've misunderstood the sense of what <secure> means.

regards
Jan

On Sat, 1 Dec 2018 at 14:51, M. Sumanth <[hidden email]> wrote:
I have an issue when I login to my machine via HTTPS and then try to login via HTTP.
However, when I clear site data, I can successfully login via HTTP. The problem occur when I login via HTTPS --> logout --> login via HTTP - I can't login again unless I clear site data.
This behaviour is observed after upgrading from jetty 4.2.24 to jetty 9.2.25.

I have tried to fix this by making 'secure' cookie option as false, which is not working.

Am using Jetty 9.2.25 which has Servlet 3.1. I have below cookie configuration in my web.xml

<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>false</secure>
</cookie-config>
</session-config>

When I set this secure flag as true, it's working as expected. But when I set it as false as shown above and access https site, the secure flag is getting modified to true and I am not able to access http site. I don't understand how is this happening? Is this the default behaviour of jetty 9.2.25 or servlet 3.1? I tried to check the Servlet release notes, but there's no such update. pl. provide any documentation links if this behaviour has been recorded as any update.

Any idea regarding this behaviour?

How can I make the secure as false when I access https by default or how to override this flag when I come back to http?

Thanks in advance.
_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev


--
Jan Bartel <[hidden email]>
www.webtide.com
Expert assistance from the creators of Jetty and CometD


_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] HTTPS to HTTP cookie issue(cookie config issue when switching between https and http)

M. Sumanth
From this thread (  https://github.com/eclipse/jetty.project/issues/3173 ) and its discussion, We understand that the recent behavior is as per Servlet Spec but we really wanted to know the reason why this kind of requirement was stipulated in the Spec. Say for example, Was there any vulnerability reported earlier ? Or Is it stipulated for a security enhancement to avert specific attacks or hijacks ?

I have also updated this thread with detailed information,please provide your comments.



On Sun, Dec 2, 2018 at 8:03 PM Jan Bartel <[hidden email]> wrote:
You might want to read issue https://github.com/eclipse/jetty.project/issues/3173 where we've been discussing HTTP/HTTPS session cookie configuration. 

The exact servlet spec behaviour is discussed in the above issue:  if <secure>true</secure>, then the cookie is marked as secure regardless of whether the cookie came from HTTP or HTTPs request;  if <secure>false</secure> then the cookie is marked as secure only if it came from HTTPs.  So I think you've misunderstood the sense of what <secure> means.

regards
Jan

On Sat, 1 Dec 2018 at 14:51, M. Sumanth <[hidden email]> wrote:
I have an issue when I login to my machine via HTTPS and then try to login via HTTP.
However, when I clear site data, I can successfully login via HTTP. The problem occur when I login via HTTPS --> logout --> login via HTTP - I can't login again unless I clear site data.
This behaviour is observed after upgrading from jetty 4.2.24 to jetty 9.2.25.

I have tried to fix this by making 'secure' cookie option as false, which is not working.

Am using Jetty 9.2.25 which has Servlet 3.1. I have below cookie configuration in my web.xml

<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>false</secure>
</cookie-config>
</session-config>

When I set this secure flag as true, it's working as expected. But when I set it as false as shown above and access https site, the secure flag is getting modified to true and I am not able to access http site. I don't understand how is this happening? Is this the default behaviour of jetty 9.2.25 or servlet 3.1? I tried to check the Servlet release notes, but there's no such update. pl. provide any documentation links if this behaviour has been recorded as any update.

Any idea regarding this behaviour?

How can I make the secure as false when I access https by default or how to override this flag when I come back to http?

Thanks in advance.
_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev


--
Jan Bartel <[hidden email]>
www.webtide.com
Expert assistance from the creators of Jetty and CometD

_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev

_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev