Fundamental issue in Spring Security visiting an http page after login, workarounds?

[mueller]

I'm a little confused and am extremely anxious to solve this issue so I can launch my application. Everything works great with Spring Security without https. But, of course, like any web application I need to have the login and signup pages secured with https. Now when someone logs in, they get a new session id cookie with its Secure attribute set. That's great, nobody can hijack your session and be logged in as you.

However, the cookie name is still JSESSIONID, so it replaces your old cookie and you lose your old session. Now, when you go to an http page, like my homepage, your session gets reset once again because Spring/Spring Security thinks you don't have a session id at all. Your browser doesn't send an http page your secure cookie. In fact URLs are rewritten with the session id too. This essentially logs you out!

Ideally I'd imagine you would get 2 cookies, your secure cookie after logging in and your non-secure cookie that you started with. This way you can show information for the logged in user that is not the end of the world if their session is hijacked. When they access a protected page that is https then their secure cookie needs to be in play.

So one workaround is we just take of the Secure attribute from the cookie when logging in. How do I do that in Spring Security? Of course, now session hijacking is possible. I really don't want that, but if that's a security flaw I have to live with in order to use Spring Security I'll deal with it until I implement something better.

Are there any workarounds? Am I misunderstanding something here? This seems very basic and something 90% of web app developers must deal with. But maybe others are content to have every page come up in https after logging in. That's not an option for me.

[Andreas Senft]

Perhaps this could be resolved by setting the session-fixation-protection attribute to "none" and using the appropriate Channel security settings.

Hope that helps,
Andreas

[mueller]

Perhaps this could be resolved by setting the session-fixation-protection attribute to "none" and using the appropriate Channel security settings.

Hope that helps,
Andreas

Thank you for the reply Andreas! So looks like setting the session-fixation-protection attribute to none will partially provide a workaround. Session hijacking, and obviously session fixation, are now issues. But issues I can temporarily live with until I figure out something better. At least credit card information, passwords and other sensitive data will remain completely secure.

This only partially solves the issue because if someone starts a session in an https page, they are doomed according to the FAQ (http://static.springframework.org/sp...-https-session). Is there a way for Spring Security or Tomcat to not set the Secure attribute of session cookies so that users aren't constantly unexpectedly logged out if they started a session in an https page?

[mueller]

I would like to point out the problem with the very common situation of your login page being https and your logout mechanism directing you to your login page. I have to imagine many others have been frustrated by this.

What happens is when your users logout, then log back in, they will be logged out when they come upon an http page of your site for the reason mentioned above. And if the destination page after login is http, then it will appear like they have to login twice in a row to actually login.

Basically, you cannot specify your login page as your logout-success-url if your login page is allowed to be https. Your logout-success-url must be to an http page.